{"componentChunkName":"component---src-templates-article-template-js","path":"/blog/thisclosed_3/","result":{"data":{"allWebMentionEntry":{"edges":[]}},"pageContext":{"article":{"id":"dcbfe952-f30c-57b1-80b8-337571d2160d","author":"Samuele Gugliotta","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n \"templateKey\": \"blog-post\",\n \"title\": \"thisclosed_#3\",\n \"description\": \"Arbitrary File Upload via External Files Feature Allows Client-Side Remote Code Execution\",\n \"author\": \"Samuele Gugliotta\",\n \"authorURL\": \"https://twitter.com/hackrate\",\n \"date\": \"2026-04-14T16:00:00.000Z\",\n \"image\": \"/img/blog/thisclosed-3-cover.png\",\n \"draft\": false,\n \"tags\": [\"bug-bounty\", \"security-testing\", \"ethical-hacking\", \"writeup\"]\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"h2\", {\n \"id\": \"summary\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#summary\",\n \"aria-label\": \"summary permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Summary\"), mdx(\"p\", null, \"During an assessment of a web-based platform (hereinafter referred to as \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"[REDACTED]\"), \"), I identified a critical vulnerability in the file upload mechanism exposed through the \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"External Files\"), \" feature within the project dashboard. This feature is designed to allow authenticated users to import supplementary documentation, such as \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".txt\"), \" and \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".md\"), \" files, to enrich project requirements.\"), mdx(\"p\", null, \"The user interface explicitly enforces the following constraints:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"Allowed: .txt, .md files only \\xB7 Max 5 files \\xB7 Max 10KB per file\")), mdx(\"p\", null, \"However, these restrictions exist solely on the client side. The backend performs no validation whatsoever on the file extension, MIME type, or content body. By intercepting the upload request and manipulating the relevant fields, an attacker can submit arbitrary file types, including formats capable of executing code on the client\\u2019s machine upon download and execution. This class of vulnerability is formally catalogued as \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://cwe.mitre.org/data/definitions/434.html\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"CWE-434: Unrestricted Upload of File with Dangerous Type\"), \".\"), mdx(\"p\", null, mdx(\"img\", {\n parentName: \"p\",\n \"src\": \"https://cwe.mitre.org/data/images/CWE-434-Diagram.png\",\n \"alt\": \"CWE-434 Diagram\"\n })), mdx(\"p\", null, \"To demonstrate the severity of this flaw, I crafted and uploaded a \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".hta\"), \" file containing an ActiveX-based payload. When downloaded and opened on a Windows system, the file was processed by \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"mshta.exe\"), \", launching \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"calc.exe\"), \" as a benign proof of execution. Additional executable formats, including \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".html\"), \" and \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".exe\"), \", were also tested and accepted without restriction.\"), mdx(\"h2\", {\n \"id\": \"technical-analysis\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#technical-analysis\",\n \"aria-label\": \"technical analysis permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Technical Analysis\"), mdx(\"h3\", {\n \"id\": \"upload-mechanism-and-client-side-only-validation-gap\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#upload-mechanism-and-client-side-only-validation-gap\",\n \"aria-label\": \"upload mechanism and client side only validation gap permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Upload mechanism and client-side-only validation gap\"), mdx(\"p\", null, \"The \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"External Files\"), \" section resides within the project dashboard and serves as a repository for supplementary project documentation. File uploads are dispatched via a \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"POST\"), \" request to the following endpoint:\"), mdx(\"pre\", null, mdx(\"code\", {\n parentName: \"pre\"\n }, \"/api/app/uiengine/odata/[REDACTED]/modules/projectDashboard/pages/components/InputsTab/ExternalTools/$batch\\n\")), mdx(\"p\", null, \"The request body is a JSON structure containing file metadata and content:\"), mdx(\"pre\", null, mdx(\"code\", {\n parentName: \"pre\",\n \"className\": \"language-json\"\n }, \"{\\n \\\"requests\\\": [\\n {\\n \\\"method\\\": \\\"POST\\\",\\n \\\"body\\\": {\\n \\\"projectId\\\": [REDACTED],\\n \\\"fileName\\\": \\\"sample.txt\\\",\\n \\\"fileType\\\": \\\"text/plain\\\",\\n \\\"uploadData\\\": {\\n \\\"content\\\": \\\"Lorem Ipsum.\\\",\\n \\\"uploadDate\\\": \\\"2025-07-15T22:58:51.555Z\\\"\\n }\\n },\\n \\\"id\\\": \\\"86\\\",\\n \\\"atomicityGroup\\\": \\\"86\\\",\\n \\\"url\\\": \\\"[REDACTED]\\\"\\n }\\n ]\\n}\\n\")), mdx(\"p\", null, \"Three fields govern the upload behavior:\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, mdx(\"inlineCode\", {\n parentName: \"strong\"\n }, \"fileName\")), \": determines the displayed name and file extension.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, mdx(\"inlineCode\", {\n parentName: \"strong\"\n }, \"fileType\")), \": declares the MIME type.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, mdx(\"inlineCode\", {\n parentName: \"strong\"\n }, \"uploadData.content\")), \": carries the full file content as a string.\")), mdx(\"p\", null, \"None of these fields undergo server-side sanitization or validation. The backend accepts whatever the client provides, persists the file, and surfaces it in the UI as a downloadable asset. No questions asked.\"), mdx(\"p\", null, mdx(\"img\", {\n parentName: \"p\",\n \"src\": \"https://media0.giphy.com/media/v1.Y2lkPTc5MGI3NjExM2Z4eThsNWZ0bHgwcWp0Y2ZmNTUxY3I3NWoybnAxeWQ2aGwzZXhkcyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/CiZ9e5IUPqeVFzc8Mp/giphy.gif\",\n \"alt\": null\n })), mdx(\"p\", null, \"This is a textbook instance of misplaced trust in client-side controls. The restrictions visible in the UI (file type allowlist, size cap, file count limit) are enforced entirely within the browser\\u2019s JavaScript context. Any user with a web proxy, or even the browser\\u2019s built-in developer tools, can bypass these constraints trivially. Client-side validation serves a legitimate purpose as a usability layer: it provides immediate feedback and prevents accidental misuse. But it must never be the sole enforcement mechanism for security-relevant constraints. Without a corresponding server-side allowlist that independently verifies the file extension, inspects the MIME type, and ideally validates the content\\u2019s magic bytes against expected signatures, the upload endpoint is functionally unrestricted.\"), mdx(\"h3\", {\n \"id\": \"exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload\",\n \"aria-label\": \"exploiting the lack of server side validation to weaponize a hta payload permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Exploiting the lack of server-side validation to weaponize a \", mdx(\"inlineCode\", {\n parentName: \"h3\"\n }, \".hta\"), \" payload\"), mdx(\"p\", null, \"The exploitation is, frankly, trivial. By intercepting a legitimate \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".txt\"), \" upload with a web proxy, the attacker gains full control over the JSON payload before it reaches the server. Replacing \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"fileName\"), \" with \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"payload.hta\"), \", \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"fileType\"), \" with \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"application/hta\"), \", and injecting executable HTA markup into \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"uploadData.content\"), \" is all it takes:\"), mdx(\"pre\", null, mdx(\"code\", {\n parentName: \"pre\",\n \"className\": \"language-json\"\n }, \"{\\n \\\"requests\\\": [\\n {\\n \\\"method\\\": \\\"POST\\\",\\n \\\"body\\\": {\\n \\\"projectId\\\": [REDACTED],\\n \\\"fileName\\\": \\\"payload.hta\\\",\\n \\\"fileType\\\": \\\"application/hta\\\",\\n \\\"uploadData\\\": {\\n \\\"content\\\": \\\"\\\",\\n \\\"uploadDate\\\": \\\"2025-07-15T22:58:51.555Z\\\"\\n }\\n },\\n \\\"id\\\": \\\"86\\\",\\n \\\"atomicityGroup\\\": \\\"86\\\",\\n \\\"url\\\": \\\"[REDACTED]\\\"\\n }\\n ]\\n}\\n\")), mdx(\"p\", null, \"The upload succeeds. The weaponized \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".hta\"), \" file appears in the UI alongside legitimate documents, available for download, waiting for a user to open it.\"), mdx(\"p\", null, mdx(\"img\", {\n parentName: \"p\",\n \"src\": \"https://media0.giphy.com/media/v1.Y2lkPTc5MGI3NjExZHI5Z3IxZTVrdTRic2NnbjRuNTczaHVrdzBjdm8weTVyOWRxbXR4ZyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/KF1qNYHUi8wwTNIUUm/giphy.gif\",\n \"alt\": null\n })), mdx(\"h3\", {\n \"id\": \"why-did-i-choose-hta-for-the-poc-here-is-the-rationale\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#why-did-i-choose-hta-for-the-poc-here-is-the-rationale\",\n \"aria-label\": \"why did i choose hta for the poc here is the rationale permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Why did I choose \", mdx(\"inlineCode\", {\n parentName: \"h3\"\n }, \".hta\"), \" for the PoC? Here is the rationale\"), mdx(\"p\", null, mdx(\"img\", {\n parentName: \"p\",\n \"src\": \"https://imgur.com/SobZxvf.jpeg\",\n \"alt\": null\n })), mdx(\"p\", null, \"I chose the \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".hta\"), \" (HTML Application) format deliberately because of its unique execution model on Windows systems. An HTA file is structurally identical to an HTML document, but it operates under an entirely different trust model. When a user opens an \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".hta\"), \" file, Windows delegates execution to \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"mshta.exe\"), \" (Microsoft HTML Application Host), a signed, native binary located at \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"C:\\\\Windows\\\\System32\\\\mshta.exe\"), \". Unlike a standard \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".html\"), \" file rendered within a browser\\u2019s sandboxed environment, an HTA executes as a standalone application outside the browser\\u2019s security context. This means it is not subject to Internet Explorer zone restrictions, Protected Mode limitations, or any of the sandboxing controls that browsers impose on web-delivered scripts.\"), mdx(\"p\", null, \"Consequently, scripts embedded in an HTA file run with the full privileges of the current user. They can instantiate COM/ActiveX objects, interact with the Windows Script Host, read and write to the file system, modify the registry, and spawn arbitrary processes. In my proof of concept, the payload leveraged this capability to instantiate a \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"WScript.Shell\"), \" ActiveX object and invoke \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"calc.exe\"), \", a standard and benign demonstration of arbitrary command execution.\"), mdx(\"p\", null, \"From an offensive security perspective, \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"mshta.exe\"), \" is classified as a \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://lolbas-project.github.io/lolbas/Binaries/Mshta/\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"Living off the Land Binary (LOLBin)\"), \", a category of legitimate, vendor-signed system utilities that attackers routinely co-opt to proxy the execution of malicious code. Because \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"mshta.exe\"), \" is a trusted Microsoft binary that ships with every Windows installation, its execution blends seamlessly into normal system activity and is far less likely to trigger behavioral heuristics in endpoint detection products. It has its own dedicated entry in the MITRE ATT&CK framework under technique \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://attack.mitre.org/techniques/T1218/005/\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"T1218.005 (System Binary Proxy Execution: Mshta)\"), \", and it is actively leveraged by numerous threat actors and malware families in real-world campaigns.\"), mdx(\"p\", null, \"Simple as that.\"), mdx(\"h2\", {\n \"id\": \"impact\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#impact\",\n \"aria-label\": \"impact permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Impact\"), mdx(\"p\", null, \"While client-side RCE via \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \".hta\"), \" serves as the most tangible demonstration of this vulnerability, the underlying risk is systemic. The upload mechanism imposes no server-side restrictions on what enters the platform, which means the \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"External Files\"), \" feature is, in practice, an unrestricted file distribution channel embedded within a trusted interface.\"), mdx(\"p\", null, \"This has two immediate consequences. First, any authenticated user can leverage the feature to deliver executable or otherwise harmful content to anyone who downloads from the same project. Second, in collaborative or multi-user environments, an attacker does not need to phish, redirect, or socially engineer a target through external channels. The payload is already inside the platform, sitting in a shared workspace, served by the application itself.\"), mdx(\"hr\", null), mdx(\"h2\", {\n \"id\": \"acknowledgements\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#acknowledgements\",\n \"aria-label\": \"acknowledgements permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Acknowledgements\"), mdx(\"p\", null, \"I would like to thank the Hackrate team for their consistently swift and efficient triage throughout this engagement, and the client\\u2019s security team for their responsiveness in addressing the reported issue. This finding was part of a private bug bounty program on Hackrate that overall resulted in a \\u20AC\\u20AC\\u20AC\\u20AC bounty payout.\"), mdx(\"p\", null, mdx(\"em\", {\n parentName: \"p\"\n }, \"venomnis\")));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/thisclosed_3/","timeToRead":"6 min read","date":"April 14, 2026","dateString":"April 14, 2026","datePublishedSeoFormat":"2026-04-14","title":"thisclosed_#3","excerpt":"Arbitrary File Upload via External Files Feature Allows Client-Side Remote Code Execution","tags":["bug-bounty","security-testing","ethical-hacking","writeup"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAIAAADwazoUAAAACXBIWXMAABYlAAAWJQFJUiTwAAACDUlEQVQoz12P3W/SUBjGz7/lhRoo6kTHVzvKMC5sINsoFJhLdJSPReMuR3bjzZgxRt12o4mYGC/GWGCTfXhjQkICYS1N5wAbSrdlCwPqa6vJsHnynF/PeZ/3nBfdIcMGIogR9K2RoIGgVf39xXAaTv8T7OttlMbotj1EPoo9pJ7hbsYxGSe98RFP1DmVINzMeHDB6JyFgivhGeiut/k1RtDJHVoIRZcCkWRgbpFmkk+evwR30S/C8aW7zseD4bDOSkEeAMMDCBaraw5uAwHYvTG40zYewSci4MQEMzT4bAz3Q0wdlkbQ2+J6SsKDJxOEJzo6nXBMJezweG8MAGYZGp2BGqOmB7Pq2DSMA0I6C4VZ/DqTT2+iMDMFoLJPb6ZU9xmsgZtm6obZp+m6afqa0QMOjJJvPjKptVhqLbK8Ch5VGTyRWo+n1udX/mj5ffr16udX/5R6+2nlXRoAbf46JvZzjoM8uZ8DjX3fcRzkhgtZ2LTubd0rZIG3xIaiKL1+Xxn8UPb4yJjbGM5nLNsZUz5zP7+B72x+4NmvAv9FqKV5Nn3E/5AlNaxcjfd6PVSX29uH1d0a+63G7fFcocbucuypLMOxVnnSbv/keY7jBEEol8uVSqVUKhWLxWaziToXF6et1pnUPpdPzmUZdCZJLUnqXF52ut1uv98UxUOWhWS9Xm80GgDVahVaiKL4G1vOd16sYEdlAAAAAElFTkSuQmCC","aspectRatio":1.7777777777777777,"src":"/static/c788c5bd9803c97cfd624ec66ee322f6/0e6e2/thisclosed-3-cover.png","srcSet":"/static/c788c5bd9803c97cfd624ec66ee322f6/6ba37/thisclosed-3-cover.png 512w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/4e530/thisclosed-3-cover.png 1024w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/0e6e2/thisclosed-3-cover.png 1920w","srcWebp":"/static/c788c5bd9803c97cfd624ec66ee322f6/30cf3/thisclosed-3-cover.webp","srcSetWebp":"/static/c788c5bd9803c97cfd624ec66ee322f6/e4e36/thisclosed-3-cover.webp 512w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/e0f73/thisclosed-3-cover.webp 1024w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/30cf3/thisclosed-3-cover.webp 1920w","sizes":"(max-width: 1920px) 100vw, 1920px"}},"commentId":"/blog/thisclosed_3/","tableOfContents":{"items":[{"url":"#summary","title":"Summary"},{"url":"#technical-analysis","title":"Technical Analysis","items":[{"url":"#upload-mechanism-and-client-side-only-validation-gap","title":"Upload mechanism and client-side-only validation gap"},{"url":"#exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload","title":"Exploiting the lack of server-side validation to weaponize a .hta payload"},{"url":"#why-did-i-choose-hta-for-the-poc-here-is-the-rationale","title":"Why did I choose .hta for the PoC? Here is the rationale"}]},{"url":"#impact","title":"Impact"},{"url":"#acknowledgements","title":"Acknowledgements"}]},"lastModifiedTime":"2026-04-14T16:00:00.000Z","lastModifiedTimeString":"April 14, 2026"},"authors":[{"bio":"@venomnis \nOffensive Security Researcher, Bug Bounty Hunter, Hacker, Cyber Security Advisor, Speaker, Hackfluencer, CTF Player and other words that end with -er. \n","id":"3084a749-0990-52b2-82fd-db3a19ee5899","name":"Samuele Gugliotta","featured":true,"twitter":"@hackrate","slug":"venomnis","avatar":{"small":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAFwABAQEBAAAAAAAAAAAAAAAAAAMCBf/EABYBAQEBAAAAAAAAAAAAAAAAAAABAv/aAAwDAQACEAMQAAAB4Fo7zNJgALf/xAAaEAACAgMAAAAAAAAAAAAAAAAAARARAiEx/9oACAEBAAEFAhZHIrVin//EABQRAQAAAAAAAAAAAAAAAAAAACD/2gAIAQMBAT8BH//EABYRAQEBAAAAAAAAAAAAAAAAABEAEP/aAAgBAgEBPwEjf//EABQQAQAAAAAAAAAAAAAAAAAAADD/2gAIAQEABj8CH//EABkQAAMBAQEAAAAAAAAAAAAAAAABERAxYf/aAAgBAQABPyFOCH4XiUQ4KdYuf//aAAwDAQACAAMAAAAQvxDA/8QAFhEBAQEAAAAAAAAAAAAAAAAAEQAQ/9oACAEDAQE/ECN//8QAGBEAAgMAAAAAAAAAAAAAAAAAAAEQEUH/2gAIAQIBAT8QaMsbH//EABwQAQADAAIDAAAAAAAAAAAAAAEAESFRYTFBcf/aAAgBAQABPxDA8SuHXcs0IeSGx5hI2bsGob+yjiEUXhnUd9E//9k=","aspectRatio":1,"src":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/00991/venomnis.jpg","srcSet":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/8696d/venomnis.jpg 16w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/547ef/venomnis.jpg 32w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/00991/venomnis.jpg 64w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/0b461/venomnis.jpg 96w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/7d668/venomnis.jpg 128w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/724c8/venomnis.jpg 1000w","srcWebp":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/282c5/venomnis.webp","srcSetWebp":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/302d4/venomnis.webp 16w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/97620/venomnis.webp 32w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/282c5/venomnis.webp 64w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/5a4e0/venomnis.webp 96w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/e28f0/venomnis.webp 128w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/36ebb/venomnis.webp 1000w","sizes":"(max-width: 64px) 100vw, 64px"},"medium":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAFwABAQEBAAAAAAAAAAAAAAAAAAMCBf/EABYBAQEBAAAAAAAAAAAAAAAAAAABAv/aAAwDAQACEAMQAAAB4Fo7zNJgALf/xAAaEAACAgMAAAAAAAAAAAAAAAAAARARAiEx/9oACAEBAAEFAhZHIrVin//EABQRAQAAAAAAAAAAAAAAAAAAACD/2gAIAQMBAT8BH//EABYRAQEBAAAAAAAAAAAAAAAAABEAEP/aAAgBAgEBPwEjf//EABQQAQAAAAAAAAAAAAAAAAAAADD/2gAIAQEABj8CH//EABkQAAMBAQEAAAAAAAAAAAAAAAABERAxYf/aAAgBAQABPyFOCH4XiUQ4KdYuf//aAAwDAQACAAMAAAAQvxDA/8QAFhEBAQEAAAAAAAAAAAAAAAAAEQAQ/9oACAEDAQE/ECN//8QAGBEAAgMAAAAAAAAAAAAAAAAAAAEQEUH/2gAIAQIBAT8QaMsbH//EABwQAQADAAIDAAAAAAAAAAAAAAEAESFRYTFBcf/aAAgBAQABPxDA8SuHXcs0IeSGx5hI2bsGob+yjiEUXhnUd9E//9k=","aspectRatio":1,"src":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/7d668/venomnis.jpg","srcSet":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/547ef/venomnis.jpg 32w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/00991/venomnis.jpg 64w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/7d668/venomnis.jpg 128w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/3e5eb/venomnis.jpg 192w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/d64b1/venomnis.jpg 256w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/724c8/venomnis.jpg 1000w","srcWebp":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/e28f0/venomnis.webp","srcSetWebp":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/97620/venomnis.webp 32w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/282c5/venomnis.webp 64w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/e28f0/venomnis.webp 128w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/a278a/venomnis.webp 192w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/b42dd/venomnis.webp 256w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/36ebb/venomnis.webp 1000w","sizes":"(max-width: 128px) 100vw, 128px"},"large":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAFwABAQEBAAAAAAAAAAAAAAAAAAMCBf/EABYBAQEBAAAAAAAAAAAAAAAAAAABAv/aAAwDAQACEAMQAAAB4Fo7zNJgALf/xAAaEAACAgMAAAAAAAAAAAAAAAAAARARAiEx/9oACAEBAAEFAhZHIrVin//EABQRAQAAAAAAAAAAAAAAAAAAACD/2gAIAQMBAT8BH//EABYRAQEBAAAAAAAAAAAAAAAAABEAEP/aAAgBAgEBPwEjf//EABQQAQAAAAAAAAAAAAAAAAAAADD/2gAIAQEABj8CH//EABkQAAMBAQEAAAAAAAAAAAAAAAABERAxYf/aAAgBAQABPyFOCH4XiUQ4KdYuf//aAAwDAQACAAMAAAAQvxDA/8QAFhEBAQEAAAAAAAAAAAAAAAAAEQAQ/9oACAEDAQE/ECN//8QAGBEAAgMAAAAAAAAAAAAAAAAAAAEQEUH/2gAIAQIBAT8QaMsbH//EABwQAQADAAIDAAAAAAAAAAAAAAEAESFRYTFBcf/aAAgBAQABPxDA8SuHXcs0IeSGx5hI2bsGob+yjiEUXhnUd9E//9k=","aspectRatio":1,"src":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/ec46e/venomnis.jpg","srcSet":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/a2637/venomnis.jpg 82w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/15203/venomnis.jpg 164w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/ec46e/venomnis.jpg 328w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/b69a5/venomnis.jpg 492w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/23a36/venomnis.jpg 656w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/724c8/venomnis.jpg 1000w","srcWebp":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/5a48e/venomnis.webp","srcSetWebp":"/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/2d087/venomnis.webp 82w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/29d87/venomnis.webp 164w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/5a48e/venomnis.webp 328w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/42f2e/venomnis.webp 492w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/dec03/venomnis.webp 656w,\n/static/6dd745b4b50d2aaa0b227ad6e9a6ebcb/36ebb/venomnis.webp 1000w","sizes":"(max-width: 328px) 100vw, 328px"}}}],"relatedArticles":[{"id":"af9be85a-bfb6-57fa-957c-10d3c131ae59","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n \"templateKey\": \"blog-post\",\n \"title\": \"ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement\",\n \"description\": \"ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.\",\n \"author\": \"Balazs Pozner\",\n \"authorURL\": \"https://twitter.com/hackrate\",\n \"date\": \"2026-01-26T09:00:00.000Z\",\n \"image\": \"/img/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png\",\n \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"p\", null, \"ENISA\\u2019s NIS2 technical implementation guidance treats vulnerability handling and disclosure as a distinct control area (6.10), separate from security testing (6.5) and security patch management (6.6). The practical implication is that organizations should be able to evidence an end to end vulnerability handling process that includes external intake, internal triage, remediation linkage, and disclosure handling aligned to applicable national coordinated vulnerability disclosure policy.\"), mdx(\"p\", null, \"A vulnerability disclosure policy (VDP) is not sufficient on its own. What matters is a VDP backed by an operating workflow with records that demonstrate 6.10 is implemented.\"), mdx(\"h2\", {\n \"id\": \"what-enisa-separates-in-practice\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#what-enisa-separates-in-practice\",\n \"aria-label\": \"what enisa separates in practice permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"What ENISA separates in practice\"), mdx(\"p\", null, \"For implementation purposes, three activities that are often blended in day to day security operations should be evidenced distinctly:\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Security testing (6.5):\"), \" planned assessments with defined scope, methodology and reporting.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Security patch management (6.6):\"), \" remediation planning, patch deployment and operational confirmation of fixes.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Vulnerability handling and disclosure (6.10):\"), \" obtaining vulnerability information, assessing exposure, addressing critical vulnerabilities without undue delay, integrating handling with other management processes and maintaining a disclosure procedure aligned to coordinated vulnerability disclosure policy.\")), mdx(\"p\", null, \"The key point is not organizational structure. It is evidence. Assessors will look for control specific artefacts and records that demonstrate 6.10 is implemented, repeatable and used.\"), mdx(\"h2\", {\n \"id\": \"minimum-viable-vdp-that-can-be-evidenced\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#minimum-viable-vdp-that-can-be-evidenced\",\n \"aria-label\": \"minimum viable vdp that can be evidenced permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Minimum viable VDP that can be evidenced\"), mdx(\"p\", null, \"A VDP that stands up to scrutiny is a policy plus a workflow plus records. At minimum, the policy should define reporting channels, scope and safe harbor, triage targets, severity assessment, remediation and disclosure handling.\"), mdx(\"h3\", {\n \"id\": \"public-reporting-channels\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#public-reporting-channels\",\n \"aria-label\": \"public reporting channels permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Public reporting channels\"), mdx(\"p\", null, \"Provide a dedicated security contact and a stable reporting mechanism that remains valid over time. Make the reporting channel discoverable from the organization\\u2019s domain, commonly via \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"/.well-known/security.txt\"), \", and offer an option for encrypted communication, such as a published PGP key.\"), mdx(\"h3\", {\n \"id\": \"scope-and-safe-harbor\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#scope-and-safe-harbor\",\n \"aria-label\": \"scope and safe harbor permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Scope and safe harbor\"), mdx(\"p\", null, \"Define which systems are in scope, which are excluded, and what testing behavior is allowed. State prohibited activities explicitly, including denial of service, social engineering, and physical intrusion. Include a good faith safe harbor statement.\"), mdx(\"h3\", {\n \"id\": \"triage-and-response-targets\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#triage-and-response-targets\",\n \"aria-label\": \"triage and response targets permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Triage and response targets\"), mdx(\"p\", null, \"Define measurable targets that you can meet and audit. For example, acknowledge receipt within 2 business days, provide an initial triage outcome within 7 business days, and define remediation targets by severity.\"), mdx(\"h3\", {\n \"id\": \"severity-and-prioritization-method\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#severity-and-prioritization-method\",\n \"aria-label\": \"severity and prioritization method permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Severity and prioritization method\"), mdx(\"p\", null, \"Use a consistent scoring approach (such as CVSS v3.1 or v4.0), and document what inputs drive the score in your environment.\"), mdx(\"h3\", {\n \"id\": \"remediation-linkage-and-verification\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#remediation-linkage-and-verification\",\n \"aria-label\": \"remediation linkage and verification permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Remediation linkage and verification\"), mdx(\"p\", null, \"Every accepted report should map to an internal tracking ticket with an accountable owner, fix target and status. Closure should require verification evidence, such as retest notes, fixed version identifiers, and deployment confirmation, not only a developer comment stating \\u201Cresolved.\\u201D If a report is closed as \\u201Cwon\\u2019t fix,\\u201D require a recorded rationale and approval.\"), mdx(\"h2\", {\n \"id\": \"workflow-design-that-prevents-predictable-failure-modes\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#workflow-design-that-prevents-predictable-failure-modes\",\n \"aria-label\": \"workflow design that prevents predictable failure modes permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Workflow design that prevents predictable failure modes\"), mdx(\"p\", null, \"A disclosure workflow fails in repeatable ways. A workable design reduces noise, enforces reproducibility, assigns accountable ownership, and produces evidence that can survive assessment.\"), mdx(\"p\", null, \"Filtering should remove reports that cannot be actioned. Define reject criteria for out of scope targets, missing reproduction steps, unclear impact, and non actionable scanner output. Deduplication should be based on root cause and exploit path, not URL variations, and should preserve credit attribution when multiple reporters converge on the same issue.\"), mdx(\"p\", null, \"Route every accepted report through a tracked system, not email forwarding. Require structured fields that allow audits and reporting, including asset and environment, severity and rationale, accountable owner, due date, fix version, deployment evidence, and a disclosure status log. Avoid \\u201Cshared inbox only\\u201D ownership models, because they produce gaps when staffing changes and make SLAs non verifiable.\"), mdx(\"h2\", {\n \"id\": \"self-managed-vdp-risks-and-controls\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#self-managed-vdp-risks-and-controls\",\n \"aria-label\": \"self managed vdp risks and controls permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Self managed VDP risks and controls\"), mdx(\"p\", null, \"A self managed VDP can work, but only if it is resourced, measurable and enforced. Common failure modes and controls include:\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"High noise volume:\"), \" enforce submission requirements, reject non reproducible reports, and implement deduplication based on root cause.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Inconsistent triage decisions:\"), \" publish acceptance criteria and apply a standard reproduction and severity checklist.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Misrouting and delays:\"), \" require a single owned intake channel, tracked case management, and named owners.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Communication gaps:\"), \" use templated acknowledgements, scheduled status updates and defined escalation triggers.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Evidence gaps:\"), \" retain timestamps, decisions, remediation linkage, and verification artefacts so cases can be reconstructed during assessment.\")), mdx(\"h2\", {\n \"id\": \"when-hackrate-managed-vdp-is-justified\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#when-hackrate-managed-vdp-is-justified\",\n \"aria-label\": \"when hackrate managed vdp is justified permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"When Hackrate managed VDP is justified\"), mdx(\"p\", null, \"For many organizations, the hardest part of 6.10 is not writing a policy. It is operating the intake and triage loop reliably at volume with complete records.\"), mdx(\"p\", null, \"Hackrate provides the Hackrate Ethical Hacking platform to manage vulnerability submissions through a structured intake channel with case tracking and an auditable record of actions and communications. We help validate reported issues, including reproduction and impact clarification, so your internal teams receive actionable findings rather than unfiltered inbox traffic. We also handle communication with ethical hackers, including acknowledgements, clarification requests, and status updates, so timelines remain predictable and interactions remain consistent.\"), mdx(\"p\", null, \"Hackrate also provides the legal and operational documents required to run a VDP, so teams do not need to draft them from scratch. This includes VDP policy language, scope and safe harbor terms, disclosure rules, and program terms that can be adapted to your environment.\"), mdx(\"p\", null, \"In this model, your organization retains decision rights for risk acceptance, remediation prioritization, and deployment approval. Hackrate focuses on managed intake, validation support, and communications, plus a complete evidence trail that connects submissions to triage outcomes and remediation status.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement/","timeToRead":"5 min read","date":"January 26, 2026","dateString":"January 26, 2026","datePublishedSeoFormat":"2026-01-26","title":"ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement","excerpt":"ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAACxklEQVQoz0WSS28bVRiG8wv4AWwRICSQumSBQIIdYtMlVGxQBSi0ufg+9ow9nrh2HN9iO77Vdu4lagLqAiQuIp44cTye8Yzjhl4oO1T4HQ9fHAkWj863OHr0nfO+cynfCSvLJsnlHkmf4Jc5YJJS+qTUUwz9jGRqgJ4ZkMidkygNiVdHaPUR6n2bWNchujNG2XeJHHjMGYsmRe2cZtahvmpTE5r5MSuhE/SIoPVJ6KdoqTPU1QGx/DnR9SFK1SLSGBFu24Q2HYIiDTwYi3DBJO3vk48NWNeH1xhDdJ+JFjRRlRPUeJ+ocYqSPiOcHRAunqNsWITqFsGWhb8zIrgrwm9d5vRvepQTFlXDYj0xpKANKMtcWrEopkcU8zb5os1a2WG16pBve2S7HkrNQtuckNx/ivHwCcE9F//Vhsn5HvWUzVZpwmbRo1Nw2atPaZVcWhWPna1LNoX2ziXl9oTu4RNqB5dEKmNufvED793c4NPwEeruhMDVH+pfH1OVDdtrLt2CN6Mj4kbepVpwaLcuuN+ZzoTN3Usq21OMpsNixuGNd+a58XGYNz+8w+3Uj0S++12EXx1TN2za2THNtENLzrpcrmRsGmWXRm1CQ6StrcdUu1PUgoQhSS+tOrz21mfc+OAWr797i8/VR/8Lq3GL7eKETtalk7vesF320JVT4uoZmj5AlepE0xJG7koogVQc3v9kl1devc3bH2VY2LDxzZ785THG/DHppR73FnukBO1Oj+jdHiGZg9LLgNTHF+sTuSfCtaGkbBGWLoYbFyzlplKdxwT2PJali3NJEZb8F9Qiz6gEn1JTnvHbo7/o//SSk59fYv4i/Po3pvkP8eyIUPZaGCqPCNSkLh0bv/TQt+2K0LsWZu+OyC14rC245H0eD7vP+X7/D44evODoQDj8k4PDF8Qy1kwYkn8MzoQik4B8nfF/wn8BilxpnoBigEQAAAAASUVORK5CYII=","aspectRatio":1.78397212543554,"src":"/static/0412079155af02d8915db4717f60957e/43a2d/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png","srcSet":"/static/0412079155af02d8915db4717f60957e/6ba37/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 512w,\n/static/0412079155af02d8915db4717f60957e/4e530/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 1024w,\n/static/0412079155af02d8915db4717f60957e/43a2d/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 2048w,\n/static/0412079155af02d8915db4717f60957e/0b1d6/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 2768w","srcWebp":"/static/0412079155af02d8915db4717f60957e/ceab5/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp","srcSetWebp":"/static/0412079155af02d8915db4717f60957e/e4e36/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 512w,\n/static/0412079155af02d8915db4717f60957e/e0f73/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 1024w,\n/static/0412079155af02d8915db4717f60957e/ceab5/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 2048w,\n/static/0412079155af02d8915db4717f60957e/ab56b/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 2768w","sizes":"(max-width: 2048px) 100vw, 2048px"}},"commentId":"/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement/","tableOfContents":{"items":[{"url":"#what-enisa-separates-in-practice","title":"What ENISA separates in practice"},{"url":"#minimum-viable-vdp-that-can-be-evidenced","title":"Minimum viable VDP that can be evidenced","items":[{"url":"#public-reporting-channels","title":"Public reporting channels"},{"url":"#scope-and-safe-harbor","title":"Scope and safe harbor"},{"url":"#triage-and-response-targets","title":"Triage and response targets"},{"url":"#severity-and-prioritization-method","title":"Severity and prioritization method"},{"url":"#remediation-linkage-and-verification","title":"Remediation linkage and verification"}]},{"url":"#workflow-design-that-prevents-predictable-failure-modes","title":"Workflow design that prevents predictable failure modes"},{"url":"#self-managed-vdp-risks-and-controls","title":"Self managed VDP risks and controls"},{"url":"#when-hackrate-managed-vdp-is-justified","title":"When Hackrate managed VDP is justified"}]},"lastModifiedTime":"2026-01-26T09:00:00.000Z","lastModifiedTimeString":"January 26, 2026"},{"id":"ec08dabc-c4c2-5667-a9ea-4ae6767e006d","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n \"templateKey\": \"blog-post\",\n \"title\": \"Let 2026 be the year bug bounty becomes part of how you build and operate\",\n \"description\": \"This article explains why 2026 is the right time to make bug bounty a practical, continuous security feedback loop and how Hackrate can help you launch it with confidence.\",\n \"author\": \"Balazs Pozner\",\n \"authorURL\": \"https://twitter.com/hackrate\",\n \"date\": \"2026-01-05T09:00:00.000Z\",\n \"image\": \"/img/blog/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png\",\n \"tags\": [\"hackrate\", \"ethical-hacking\", \"security-testing\", \"news\", \"getting-started\"]\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"p\", null, \"Many organizations still treat offensive testing as a scheduled engagement, while their applications change monthly or even more frequently. Bug bounty is a practical way to keep security testing aligned with continuous change.\"), mdx(\"p\", null, \"A traditional \\u201Csecurity audit\\u201D model is still common: fixed scope, fixed timeline, and a report that starts aging as soon as the next release ships. That model can be useful, but it does not match how modern teams build and deploy.\"), mdx(\"p\", null, \"The problem is not that pentesting is bad. The problem is timing. If your development model is continuous, periodic testing quickly becomes a snapshot of a system that no longer exists.\"), mdx(\"p\", null, \"Bug bounty works well here because it is not a one-time assessment. It is continuous feedback from people who spend their time trying to break real systems as they change.\"), mdx(\"h2\", {\n \"id\": \"why-periodic-pentests-often-miss-what-matters\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#why-periodic-pentests-often-miss-what-matters\",\n \"aria-label\": \"why periodic pentests often miss what matters permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Why periodic pentests often miss what matters\"), mdx(\"p\", null, \"Pentests are valuable for baseline coverage, assurance, and structured validation. But a time-boxed engagement has limits by design: constrained time, constrained scope, and a limited set of perspectives.\"), mdx(\"p\", null, \"Over multiple years, repeated testing against the same application can converge toward familiar paths and familiar findings. That is not a criticism of testers. It is what happens when the same constraints repeat.\"), mdx(\"p\", null, \"Meanwhile, the issues that hurt most in modern web applications are often not exotic. They are the messy ones: authorization mistakes, workflow abuse, subtle authentication edge cases, integration assumptions, and regressions introduced during refactors.\"), mdx(\"p\", null, \"Bug bounty adds something that is difficult to replicate in any other format: \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"diversity of thinking at scale\"), \". Different researchers approach the same target with different instincts, tooling, and threat models. That variety is where the surprising reports come from.\"), mdx(\"h2\", {\n \"id\": \"continuous-development-needs-security-that-stays-on\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#continuous-development-needs-security-that-stays-on\",\n \"aria-label\": \"continuous development needs security that stays on permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Continuous development needs security that stays on\"), mdx(\"p\", null, \"If you release weekly, a snapshot assessment from January is rarely a good description of what you are running by March.\"), mdx(\"p\", null, \"New endpoints appear. Permissions change. Features roll out behind flags. Even strong internal controls cannot prevent every regression. The goal is not perfection. The goal is fast discovery and fast learning.\"), mdx(\"p\", null, \"Bug bounty supports that goal because it runs continuously. It often becomes most active around major releases, when new features introduce new attack paths.\"), mdx(\"h2\", {\n \"id\": \"starting-safely-without-creating-noise\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#starting-safely-without-creating-noise\",\n \"aria-label\": \"starting safely without creating noise permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Starting safely without creating noise\"), mdx(\"p\", null, \"The common fear is operational: spam reports, duplicates, low-value submissions, and overwhelmed teams. That outcome is avoidable. A strong launch looks like this:\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, \"Start with a private program.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, \"Keep scope tight and explicit.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, \"Make triage and remediation ownership real, not theoretical.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, \"Expand only when response times and report quality are stable.\")), mdx(\"p\", null, \"A bug bounty program is not hard because researchers are difficult. It is hard when scope is unclear, response is slow, and severity discussions turn into endless negotiation. \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"Those are program design problems and they are solvable.\")), mdx(\"h2\", {\n \"id\": \"how-hackrate-can-help-you-get-started\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#how-hackrate-can-help-you-get-started\",\n \"aria-label\": \"how hackrate can help you get started permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"How Hackrate can help you get started\"), mdx(\"p\", null, \"If your applications change continuously, your security testing should reflect that reality. Bug bounty is not a replacement for everything else, but it is one of the few models that keeps producing value while the system changes.\"), mdx(\"p\", null, \"Hackrate can help you turn that idea into a program you can run. We can help you plan a safe private launch, shape scope so researchers spend time where it matters, and set expectations that keep the signal high for your team. If you are considering a bug bounty program in 2026, we are happy to talk, share what works in practice, and plan the next steps with you.\"), mdx(\"p\", null, \"Reach out through \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://www.hckrt.com/Home/RequestADemo\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"Hackrate\"), \" and we will take it from there.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate/","timeToRead":"4 min read","date":"January 05, 2026","dateString":"January 05, 2026","datePublishedSeoFormat":"2026-01-05","title":"Let 2026 be the year bug bounty becomes part of how you build and operate","excerpt":"This article explains why 2026 is the right time to make bug bounty a practical, continuous security feedback loop and how Hackrate can help you launch it with confidence.","tags":["hackrate","ethical-hacking","security-testing","news","getting-started"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACiElEQVQozz2SW08TURSF+2d9Nmpi9IFEUej9Qumd0um002mhlykthdZyiYA0JmCCFzBgFOycc2awD8Q/sFwt6sPOefvOt9faHjMsMB0jbKMUs1FM2NDSfFclCkWJVUNhpaqQW5fINiXSbYVUVyGxpbA8UFjaUYjuKUTeKoQOFTzVkICVUdgq36JruOhUXWzUXQIFVjWBfEkiZypk1xTSDYmUJZHsENaTWOpLxIYSEQJDBAaPCDSDAvW4RCun0NIcNHUHjYoDLU9YQWClJJCrSGRqtGvQzlIzYKKnEO/TkMDoriRQIjAD+mxUAjbKXLkct6HPVhYzw0LxL9Dkums0q9OKhtGuRHibkDeE0C5wQDtO4EhOgQLtrMKGxrVrLnpct1WlaZ2mTQe1lkJzy4HO7DJc27R+oW1NYNUnMBsu6jTX128QHo7hf0fDyqINi8B2gVDDQYslbFrMss0suy7aPX5AYJbgVOwCu8+/4OzVNT7O/cDx/CVGL69xOneDlHEJ73uXQK+NTp6QsoNNmlmmA5PtGixD07k28ytUBYEuvIHPCD34hPlHZ/A+Psf8swu8XrhEIPId4bqNwMi5N6xGWUxGokFLM08AM8zydLJ5GxnNRlLnyyiC0a94+HSEJ7ErvIj/RCL0DSvLV1hMnyPIPP3TUoyFMUp+3iBvUYvRaJkwlpNJ2khlCCM0UbQR08dIsuV075Yn4yC+qRAbOAjsOwgeuvDxbHxs2mPQ0PQLVNh2mTM98pODO3w4vsPp6A4n/+bkN5I1gdga4S2BSEcg1LMR7Av4hwK+fRoS6ikTaBCkczT/GHrExmBjgkFvgv72BNt9znCCLmd5CmRW0f9AcQ/cIXCPQEL/AIaBteTXc6cxAAAAAElFTkSuQmCC","aspectRatio":1.78397212543554,"src":"/static/215707898c57c1c20ffc63b34c9583ad/5d2c5/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png","srcSet":"/static/215707898c57c1c20ffc63b34c9583ad/6ba37/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png 512w,\n/static/215707898c57c1c20ffc63b34c9583ad/5d2c5/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png 1000w","srcWebp":"/static/215707898c57c1c20ffc63b34c9583ad/36ebb/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.webp","srcSetWebp":"/static/215707898c57c1c20ffc63b34c9583ad/e4e36/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.webp 512w,\n/static/215707898c57c1c20ffc63b34c9583ad/36ebb/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.webp 1000w","sizes":"(max-width: 1000px) 100vw, 1000px"}},"commentId":"/blog/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate/","tableOfContents":{"items":[{"url":"#why-periodic-pentests-often-miss-what-matters","title":"Why periodic pentests often miss what matters"},{"url":"#continuous-development-needs-security-that-stays-on","title":"Continuous development needs security that stays on"},{"url":"#starting-safely-without-creating-noise","title":"Starting safely without creating noise"},{"url":"#how-hackrate-can-help-you-get-started","title":"How Hackrate can help you get started"}]},"lastModifiedTime":"2026-01-05T09:00:00.000Z","lastModifiedTimeString":"January 05, 2026"},{"id":"66c2cb26-28e3-53da-85a4-96732431949a","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n \"templateKey\": \"blog-post\",\n \"title\": \"Ministry of Regional Development of the Czech Republic Launches Public Bug Bounty Program with Hackrate\",\n \"description\": \"The Ministry of Regional Development of the Czech Republic partners with Hackrate to launch a public bug bounty program—empowering ethical hackers to strengthen national cybersecurity and set a precedent for the European public sector.\",\n \"author\": \"Balazs Pozner\",\n \"authorURL\": \"https://twitter.com/hackrate\",\n \"date\": \"2025-07-16T09:00:00.000Z\",\n \"image\": \"/img/blog/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png\",\n \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\", \"hackrate\"]\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"p\", null, \"We\\u2019re proud to announce that the Ministry of Regional Development of the Czech Republic (MMR) is launching its public bug bounty program on July 16, in partnership with Hackrate.\"), mdx(\"p\", null, \"This marks a significant milestone\\u2014not only for the Ministry but for the broader European public sector. Government institutions rarely open their systems to ethical hackers, but MMR is taking a bold, forward-thinking step to strengthen its cybersecurity posture through crowdsourced security testing.\"), mdx(\"h2\", {\n \"id\": \"why-a-bug-bounty-program\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#why-a-bug-bounty-program\",\n \"aria-label\": \"why a bug bounty program permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Why a Bug Bounty Program?\"), mdx(\"p\", null, \"The Ministry operates a diverse range of IT systems that support critical public services. Recognizing the complexity, they\\u2019ve chosen to engage Hackrate\\u2019s global community of ethical hackers to identify and report vulnerabilities before malicious actors can exploit them.\"), mdx(\"p\", null, \"This approach ensures a broad spectrum of expertise and attack perspectives, far beyond what traditional security assessments can offer.\"), mdx(\"h2\", {\n \"id\": \"how-the-bug-bounty-program-works\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#how-the-bug-bounty-program-works\",\n \"aria-label\": \"how the bug bounty program works permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"How the Bug Bounty Program Works\"), mdx(\"p\", null, \"MMR\\u2019s program is unmanaged, meaning their internal security team is directly responsible for triaging and validating the vulnerability reports submitted by ethical hackers. This model gives them full control over the process while benefiting from the scale and diversity of the hacker community.\"), mdx(\"p\", null, \"To incentivize high-quality research, the Ministry has committed to awarding up to \\u20AC1000 for valid reports submitted during the testing phase - a strong commitment to meaningful collaboration with the ethical hacking community.\"), mdx(\"h2\", {\n \"id\": \"a-model-for-public-sector-cybersecurity\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#a-model-for-public-sector-cybersecurity\",\n \"aria-label\": \"a model for public sector cybersecurity permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"A Model for Public Sector Cybersecurity\"), mdx(\"p\", null, \"At Hackrate, we believe that transparency, collaboration, and continuous testing are essential pillars of modern cybersecurity. The Ministry\\u2019s decision to go public with their bug bounty program sets a powerful example for other government institutions across Europe.\"), mdx(\"p\", null, \"We\\u2019re honored to support this initiative and excited to see the impact of ethical hacking in securing public digital infrastructure.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate/","timeToRead":"2 min read","date":"July 16, 2025","dateString":"July 16, 2025","datePublishedSeoFormat":"2025-07-16","title":"Ministry of Regional Development of the Czech Republic Launches Public Bug Bounty Program with Hackrate","excerpt":"The Ministry of Regional Development of the Czech Republic partners with Hackrate to launch a public bug bounty program—empowering ethical hackers to strengthen national cybersecurity and set a precedent for the European public sector.","tags":["security-testing","ethical-hacking","news","hackrate"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAACHUlEQVQoz22SzU/bQBBH8++3VS+VeuqhoqKVeitVL9BSgQihCQmJ7fhjd722E4dAKPmOA4jD65AECSoOTyOttG9/M7MlT2W0Be8/3CglG0z4u7hnMLsV7lYktiBy5ih3IfUp8xWlts7wX2D9SEpHpNfFPVfzO9JkSdRaoDzBnb/AglKg07VgI1mhO3LW2YhTulcTuuktSmTaK9By8RH1DElobYqWy1b3iOMOJsmJ4o3QrKnXLF7tGtteYiSdaRdSi7V8xWLFKqEOFdX2GbvuPq3GH47LJ7TOGkQ6wZe0zUZKvZJSLVv8xhDTkhnWRfCQ1tnwmFikJdv2efV+hw97rykffmfr4xaftz9x8PuXiENOjwxeI6ElKSsHmubPMY0fU053xpx8HVH7Nub4yxBnf4oNChEGPoGjpYUMHUU4LRfXcfE9F60i3LrCqShqh22aJ32sJ207BbFbPKmLVbWezNBEIVnH0MkNJg5RJhKRPKC1bFVjraZ21KR5aMnCW5ljsSJ+gcSbyZaDgKhpaVekrSNNq6yJA0scJXRsF+Ursjijp8bk3pRutKQT3oj8OYm/JG6NZSlacbzdZfdNj723OfvvzkmcEXksX0UNydWUQVbQtzPOzYxeNKcbzsg3dH15xJ9xaeQfVvuUYiOtakMUGFT4QIwxCYEfMbq64KZYMJ9OmI5GLOYzBskIU7vEVs+xtQt67pC+PyGX2nWv+QesDRAeifNZ2QAAAABJRU5ErkJggg==","aspectRatio":1.78397212543554,"src":"/static/2459a3ea6baa8df39cff580d4b2af5a0/57f38/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png","srcSet":"/static/2459a3ea6baa8df39cff580d4b2af5a0/6ba37/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png 512w,\n/static/2459a3ea6baa8df39cff580d4b2af5a0/57f38/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png 904w","srcWebp":"/static/2459a3ea6baa8df39cff580d4b2af5a0/491d1/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.webp","srcSetWebp":"/static/2459a3ea6baa8df39cff580d4b2af5a0/e4e36/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.webp 512w,\n/static/2459a3ea6baa8df39cff580d4b2af5a0/491d1/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.webp 904w","sizes":"(max-width: 904px) 100vw, 904px"}},"commentId":"/blog/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate/","tableOfContents":{"items":[{"url":"#why-a-bug-bounty-program","title":"Why a Bug Bounty Program?"},{"url":"#how-the-bug-bounty-program-works","title":"How the Bug Bounty Program Works"},{"url":"#a-model-for-public-sector-cybersecurity","title":"A Model for Public Sector Cybersecurity"}]},"lastModifiedTime":"2025-07-16T09:00:00.000Z","lastModifiedTimeString":"July 16, 2025"},{"id":"00f9494e-36e8-589b-b437-0e28ef553904","author":"Levente Molnar","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n \"templateKey\": \"blog-post\",\n \"title\": \"Measuring the Success of Bug Bounty Programs: Outdated vs. Modern Approaches\",\n \"description\": \"Shift from outdated metrics to advanced methods with Hackrate’s HackGATE to monitor the success of your Bug Bounty Programs.\",\n \"author\": \"Levente Molnar\",\n \"authorURL\": \"https://twitter.com/hackrate\",\n \"date\": \"2025-03-25T09:00:00.000Z\",\n \"image\": \"/img/blog/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png\",\n \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"p\", null, \"Bug bounty programs have matured significantly over time, making it evident that traditional methods for evaluating their success are no longer sufficient. To truly understand the impact of a bug bounty program today, organizations must adopt advanced metrics. These metrics should prioritize the severity of vulnerabilities discovered, the quality of researcher interactions, and the insights derived from continuous monitoring.\"), mdx(\"p\", null, mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://www.hckrt.com/\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"Hackrate\\u2019s\"), \" \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://hackgate.io/\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"HackGATE\"), \" offers a transformative approach, equipping organizations with the tools to gain unparalleled control and visibility over their bug bounty programs. This article revisits outdated evaluation techniques and highlights modern strategies that deliver actionable results.\"), mdx(\"h2\", {\n \"id\": \"outdated-methods-to-gauge-bug-bounty-program-impact\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#outdated-methods-to-gauge-bug-bounty-program-impact\",\n \"aria-label\": \"outdated methods to gauge bug bounty program impact permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Outdated Methods to Gauge Bug Bounty Program Impact\"), mdx(\"h3\", {\n \"id\": \"1-counting-bugs-vs-prioritizing-report-quality\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#1-counting-bugs-vs-prioritizing-report-quality\",\n \"aria-label\": \"1 counting bugs vs prioritizing report quality permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"1. Counting Bugs vs. Prioritizing Report Quality\"), mdx(\"p\", null, \"Early bug bounty programs often measured success by the sheer number of reported vulnerabilities. However, this approach is flawed, as it overlooks the critical factors of severity and relevance.\"), mdx(\"p\", null, \"Similarly, gauging success through the number of payouts can be misleading, as it prioritizes volume over the overall effectiveness of the program. This may result in significant vulnerabilities being overlooked.\"), mdx(\"p\", null, mdx(\"strong\", {\n parentName: \"p\"\n }, \"The HackGATE Advantage:\"), \" HackGATE shifts the focus from quantity to quality by implementing a robust triage system. Security teams can now concentrate on critical insights, such as attack types, severity levels, testing duration, HTTP requests, and functionalities assessed. This refined approach ensures that only impactful vulnerabilities are prioritized, enhancing the overall effectiveness of the bug bounty program.\"), mdx(\"h3\", {\n \"id\": \"2-number-of-ethical-hackers-vs-their-expertise\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#2-number-of-ethical-hackers-vs-their-expertise\",\n \"aria-label\": \"2 number of ethical hackers vs their expertise permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"2. Number of Ethical Hackers vs. Their Expertise\"), mdx(\"p\", null, \"Traditionally, the success of a bug bounty program was often linked to the number of participating researchers. However, a larger pool of ethical hackers doesn\\u2019t guarantee better results. The true measure of success lies in the skills and expertise of the participants.\"), mdx(\"p\", null, mdx(\"strong\", {\n parentName: \"p\"\n }, \"The HackGATE Advantage:\"), \" HackGATE gives organizations complete control over their pentest participants, allowing them to invite only the most skilled researchers while keeping unauthorized access at bay. This targeted approach ensures high-quality findings and peace of mind for the organization.\"), mdx(\"h3\", {\n \"id\": \"3-activity-logs-vs-real-time-insights\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#3-activity-logs-vs-real-time-insights\",\n \"aria-label\": \"3 activity logs vs real time insights permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"3. Activity Logs vs. Real-Time Insights\"), mdx(\"p\", null, \"Relying solely on log-based monitoring is now an outdated practice. Logs often lack real-time context, making it harder to identify and respond to evolving threats. Analyzing log data retrospectively is also time-consuming and prone to inefficiencies.\"), mdx(\"p\", null, mdx(\"strong\", {\n parentName: \"p\"\n }, \"The HackGATE Advantage:\"), \" HackGATE operates as an autonomous, cloud-based platform, independent of pentesters\\u2019 actions. It identifies attack patterns, logs essential security data, and generates compliance-ready reports in real-time. This transparency enables organizations to maintain robust testing protocols and establish resilient defenses.\"), mdx(\"h3\", {\n \"id\": \"4-sole-reliance-on-final-pentest-reports\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#4-sole-reliance-on-final-pentest-reports\",\n \"aria-label\": \"4 sole reliance on final pentest reports permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"4. Sole Reliance on Final Pentest Reports\"), mdx(\"p\", null, \"Placing complete trust in a pentest provider\\u2019s final report can leave organizations vulnerable to incomplete testing or a lack of transparency. Without visibility into the testing process, it\\u2019s difficult to assess the thoroughness of the report or address potential gaps.\"), mdx(\"p\", null, mdx(\"strong\", {\n parentName: \"p\"\n }, \"The HackGATE Advantage:\"), \" HackGATE empowers organizations with a centralized dashboard that offers complete visibility into their bug bounty projects. From monitoring active researchers to analyzing attack types, testing durations, HTTP requests, and rewards, HackGATE ensures organizations have the insights needed to stay in control and make informed decisions.\"), mdx(\"h2\", {\n \"id\": \"embracing-advanced-metrics-to-elevate-security\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#embracing-advanced-metrics-to-elevate-security\",\n \"aria-label\": \"embracing advanced metrics to elevate security permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Embracing Advanced Metrics to Elevate Security\"), mdx(\"p\", null, \"As bug bounty programs evolve, it\\u2019s clear that outdated metrics are no longer adequate. Organizations must transition to modern evaluation techniques that:\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, \"Prioritize the quality of bug reports over quantity.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, \"Align skilled researchers with program objectives.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, \"Leverage real-time insights for proactive decision-making.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, \"Encourage open communication and transparency throughout the testing process.\")), mdx(\"p\", null, \"Hackrate\\u2019s HackGATE is designed to help organizations achieve these goals, providing a platform that streamlines bug bounty management and delivers actionable insights. By adopting advanced metrics and leveraging innovative tools, organizations can enhance their security posture, adapt to the ever-changing threat landscape, and drive meaningful results from their bug bounty programs.\"), mdx(\"p\", null, \"Ready to transform your bug bounty program? Discover how \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://www.hckrt.com/\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"Hackrate\"), \" and \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://hackgate.io/\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"HackGATE\"), \" can elevate your approach to security testing.\"), mdx(\"p\", null, \"Explore the continuous evolution of security solutions with us.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches/","timeToRead":"4 min read","date":"March 25, 2025","dateString":"March 25, 2025","datePublishedSeoFormat":"2025-03-25","title":"Measuring the Success of Bug Bounty Programs: Outdated vs. Modern Approaches","excerpt":"Shift from outdated metrics to advanced methods with Hackrate’s HackGATE to monitor the success of your Bug Bounty Programs.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAACr0lEQVQozyWSzWsTaxSH+8e5EnTtThAUxYV40YXiQsRqahubJpPv5juT6UwmSZtIa2yMtUmtIkSt9yL2SnulM+87pFAFv3Y+98Qufrybl4ffc86ZqoV9JqmGPcoRj6LhkU/Km1Pki4pcVZO1NBlHkW4oksuaREeRWFMYXcVCTzPf1zx8rpkbaKasOZ/llGatOuaROaZjj2m7YwH65AqKxYoiW9OkbU3S1X+ARidgtj0mvKaJCDDyTBMW4OxQgLVZHzuicJMad1FTLwQ45YBcxicr0EzJJ1VVpJaknauI1uVt/cfw9Yjmxh5haXmv6zHzTPFgAjRDHg1DgCmFnVZYWYmoWqJaE9WKrag2Jw0nQJ/yi59s9Z/w44PBen+TwdYrBp9/Yb47ZGaoBHjfoyXKjyoBK9JsuRbQFJAtcZsBSwKz2wFZaZcR7d7KIY/XNnn69jXp9j/0uhv8/vWKYK9GavujAO95OFFFI6NpFARS1jgVzZIpEUB9RaACLLZE1wno/r1LZftfkqOvGNke8elNVkafqO17hLcOjoHWvI8l2pZoV1I+xbRPWjadyngk8x4JmWPc9IjZAYUdRbtjcv3OOrdvWTir23wehWjvjggNxkxVp2WGCflUCmiJcr0kitKwmBdwWTZc9klWfBKmT6wp55LfZ3c1w19np7lyuUhzZ4f970fsfGoRGexNgAe4cUUrL6qyZUe0HfN4ho4bkDcV8ZJHvCYtbYH23nH35kXOnLzD6RNXuXTqLNX6S0JvvhF67jNVEeXi/QPyMwfk5LgX5bgzMdFNiGpakpNIS0OUDUcOuPSe89faXLrV4cINl3M3lnhoDpnrKwGqY2BpRqBzHoV5j1zUIxsXqMwylRVVUZ80jIly1PJYaAQku0cY60fENr4QHX4ltHFIqO//ucX/ATE/sUNAW9P4AAAAAElFTkSuQmCC","aspectRatio":1.78397212543554,"src":"/static/ebc0b01272c5720b97733408619cfb7c/3ba25/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png","srcSet":"/static/ebc0b01272c5720b97733408619cfb7c/6ba37/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png 512w,\n/static/ebc0b01272c5720b97733408619cfb7c/4e530/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png 1024w,\n/static/ebc0b01272c5720b97733408619cfb7c/3ba25/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png 2000w","srcWebp":"/static/ebc0b01272c5720b97733408619cfb7c/6e77b/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.webp","srcSetWebp":"/static/ebc0b01272c5720b97733408619cfb7c/e4e36/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.webp 512w,\n/static/ebc0b01272c5720b97733408619cfb7c/e0f73/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.webp 1024w,\n/static/ebc0b01272c5720b97733408619cfb7c/6e77b/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.webp 2000w","sizes":"(max-width: 2000px) 100vw, 2000px"}},"commentId":"/blog/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches/","tableOfContents":{"items":[{"url":"#outdated-methods-to-gauge-bug-bounty-program-impact","title":"Outdated Methods to Gauge Bug Bounty Program Impact","items":[{"url":"#1-counting-bugs-vs-prioritizing-report-quality","title":"1. Counting Bugs vs. Prioritizing Report Quality"},{"url":"#2-number-of-ethical-hackers-vs-their-expertise","title":"2. Number of Ethical Hackers vs. Their Expertise"},{"url":"#3-activity-logs-vs-real-time-insights","title":"3. Activity Logs vs. Real-Time Insights"},{"url":"#4-sole-reliance-on-final-pentest-reports","title":"4. Sole Reliance on Final Pentest Reports"}]},{"url":"#embracing-advanced-metrics-to-elevate-security","title":"Embracing Advanced Metrics to Elevate Security"}]},"lastModifiedTime":"2025-03-25T09:00:00.000Z","lastModifiedTimeString":"March 25, 2025"},{"id":"c18e885a-cb64-5cf6-b0f3-428d6a2f4dd2","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n \"templateKey\": \"blog-post\",\n \"title\": \"A VDP szerepe a NIS 2 megfelelésben: Amit a sérülékenység közzétételi irányelvről tudni kell\",\n \"description\": \"Az előző cikkben bemutattuk a NIS 2 irányelv követelményeit és a magyar vállalatokra gyakorolt hatását. Ebben a posztban részletesen tárgyaljuk a sérülékenység közzétételi irányelvet (VDP), amely a NIS 2 egyik kulcsfontosságú eleme. Megvizsgáljuk, miért nem elegendő egy egyszerű email cím a sérülékenységek bejelentésére, és miért van szükség jól felépített, strukturált VDP-re a vállalatok kiberbiztonsági pozíciójának erősítésére.\",\n \"author\": \"Balazs Pozner\",\n \"authorURL\": \"https://twitter.com/hackrate\",\n \"date\": \"2024-09-02T09:00:00.000Z\",\n \"image\": \"/img/blog/A-VDP-szerepe-a-NIS-2-megfelelesben.png\",\n \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"p\", null, \"Az \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://blog.hckrt.com/blog/NIS-2-rendelet-megfeleloseg-%E2%80%94Mit-kell-tudnia-a-magyar-cegeknek/\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"el\\u0151z\\u0151 cikkben\"), \" bemutattuk a NIS 2 ir\\xE1nyelv k\\xF6vetelm\\xE9nyeit \\xE9s a magyar v\\xE1llalatokra gyakorolt hat\\xE1s\\xE1t. Ebben a posztban pedig a NIS 2 egy konkr\\xE9t, rendk\\xEDv\\xFCl fontos elem\\xE9t emelj\\xFCk ki r\\xE9szletesebben: a s\\xE9r\\xFCl\\xE9kenys\\xE9g k\\xF6zz\\xE9t\\xE9teli ir\\xE1nyelvet (VDP).\"), mdx(\"p\", null, \"A VDP egy olyan hivatalos dokumentum \\xE9s keretrendszer, amely meghat\\xE1rozza, hogy egy v\\xE1llalat hogyan fogadja \\xE9s kezeli a k\\xFCls\\u0151 felekt\\u0151l kapott, rendszereiben tal\\xE1lhat\\xF3 biztons\\xE1gi r\\xE9sekre vonatkoz\\xF3 jelent\\xE9seket.\"), mdx(\"p\", null, \"A NIS 2 ir\\xE1nyelv kifejezetten el\\u0151\\xEDrja a VDP bevezet\\xE9s\\xE9t a 15.18. S\\xE9r\\xFCl\\xE9kenys\\xE9gmenedzsment \\u2013 S\\xE9r\\xFCl\\xE9kenys\\xE9gi inform\\xE1ci\\xF3k fogad\\xE1sa pontban, m\\xE9gis sok c\\xE9gben felmer\\xFClhet a k\\xE9rd\\xE9s: Mi\\xE9rt nem el\\xE9g csak egy email c\\xEDmet megadni a s\\xE9r\\xFCl\\xE9kenys\\xE9gek bejelent\\xE9s\\xE9re?\"), mdx(\"p\", null, \"Az al\\xE1bbiakban kifejtj\\xFCk, hogy ez mi\\xE9rt nem megfelel\\u0151 megold\\xE1s, milyen kock\\xE1zatokhoz vezet \\xE9s mi\\xE9rt van a c\\xE9geknek sz\\xFCks\\xE9ge j\\xF3l fel\\xE9p\\xEDtett, struktur\\xE1lt VDP-re.\"), mdx(\"h2\", {\n \"id\": \"miért-fontos-része-a-vdp-a-nis-2-rendeletnek\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#mi%C3%A9rt-fontos-r%C3%A9sze-a-vdp-a-nis-2-rendeletnek\",\n \"aria-label\": \"miért fontos része a vdp a nis 2 rendeletnek permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Mi\\xE9rt fontos r\\xE9sze a VDP a NIS 2 rendeletnek?\"), mdx(\"p\", null, \"Ahhoz, hogy egy c\\xE9g id\\u0151ben felfedezhesse \\xE9s kijav\\xEDthassa a biztons\\xE1gi sebezhet\\u0151s\\xE9geit, elengedhetetlen egy hivatalos bejelent\\xE9si csatorna megl\\xE9te. A j\\xF3l kidolgozott VDP abban seg\\xEDt a v\\xE1llalatoknak, hogy gyorsan felismerj\\xE9k a rendszereikben l\\xE9v\\u0151 biztons\\xE1gi r\\xE9seket \\xE9s m\\xE9g azel\\u0151tt jav\\xEDtani tudj\\xE1k \\u0151ket, miel\\u0151tt a kiberb\\u0171n\\xF6z\\u0151k vissza\\xE9lhetn\\xE9nek vel\\xFCk.\"), mdx(\"p\", null, \"A VDP teh\\xE1t nem csup\\xE1n egy k\\xF6telez\\u0151 eleme a NIS 2-nek, hanem egy proakt\\xEDv eszk\\xF6z a v\\xE1llalatok kiberbiztons\\xE1gi poz\\xEDci\\xF3j\\xE1nak er\\u0151s\\xEDt\\xE9s\\xE9re \\xE9s a biztons\\xE1gi t\\xE1mad\\xE1sok cs\\xF6kkent\\xE9s\\xE9re.\"), mdx(\"h2\", {\n \"id\": \"milyen-következményekkel-járhat-ha-egy-cég-elhanyagolja-a-vdp-t\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#milyen-k%C3%B6vetkezm%C3%A9nyekkel-j%C3%A1rhat-ha-egy-c%C3%A9g-elhanyagolja-a-vdp-t\",\n \"aria-label\": \"milyen következményekkel járhat ha egy cég elhanyagolja a vdp t permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Milyen k\\xF6vetkezm\\xE9nyekkel j\\xE1rhat, ha egy c\\xE9g elhanyagolja a VDP-t?\"), mdx(\"h3\", {\n \"id\": \"rejtve-maradt-sebezhetőségek\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#rejtve-maradt-sebezhet%C5%91s%C3%A9gek\",\n \"aria-label\": \"rejtve maradt sebezhetőségek permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), mdx(\"strong\", {\n parentName: \"h3\"\n }, \"Rejtve maradt sebezhet\\u0151s\\xE9gek\")), mdx(\"p\", null, \"Ha nincs hivatalos csatorna, amelyen kereszt\\xFCl az etikus hackerek bejelenthetik a biztons\\xE1gi sebezhet\\u0151s\\xE9geket, akkor felfedez\\xE9s\\xFCk jelent\\u0151sen elh\\xFAz\\xF3dhat, ami magas kock\\xE1zatot jelenthet a rendszer biztons\\xE1g\\xE1ra. A rejtett biztons\\xE1gi r\\xE9sek els\\u0151dleges c\\xE9lpontt\\xE1 v\\xE1lhatnak a kiberb\\u0171n\\xF6z\\u0151k sz\\xE1m\\xE1ra.\"), mdx(\"h3\", {\n \"id\": \"jogi-és-reputációs-kockázatok\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#jogi-%C3%A9s-reput%C3%A1ci%C3%B3s-kock%C3%A1zatok\",\n \"aria-label\": \"jogi és reputációs kockázatok permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), mdx(\"strong\", {\n parentName: \"h3\"\n }, \"Jogi \\xE9s reput\\xE1ci\\xF3s kock\\xE1zatok\")), mdx(\"p\", null, \"Ha egy sebezhet\\u0151s\\xE9g adatveszt\\xE9shez vagy m\\xE1s k\\xE1rokhoz vezet, a c\\xE9g jogi elj\\xE1r\\xE1sra sz\\xE1m\\xEDthat. A jogi k\\xF6vetkezm\\xE9nyek mellett a c\\xE9g h\\xEDrneve is romolhat, k\\xFCl\\xF6n\\xF6sen, ha a v\\xE1llalat nem kezeli \\xE1tl\\xE1that\\xF3an az incidenseket. A legnagyobb vesztes\\xE9g azonban a bizalom elveszt\\xE9se. Egy s\\xFAlyos kiberbiztons\\xE1gi t\\xE1mad\\xE1s ut\\xE1n az \\xFCgyfelek \\xE9s partnerek nem fognak t\\xF6bb\\xE9 b\\xEDzni abban, hogy a v\\xE1llalat k\\xE9pes megv\\xE9deni az \\xE9rt\\xE9kes adataikat.\"), mdx(\"h3\", {\n \"id\": \"it-biztonsági-kockázat\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#it-biztons%C3%A1gi-kock%C3%A1zat\",\n \"aria-label\": \"it biztonsági kockázat permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), mdx(\"strong\", {\n parentName: \"h3\"\n }, \"IT biztons\\xE1gi kock\\xE1zat\")), mdx(\"p\", null, \"Ha nincsenek j\\xF3l struktur\\xE1lt folyamatok a biztons\\xE1gi jelent\\xE9sek kezel\\xE9s\\xE9re, a csapatok k\\xF6nnyen t\\xFAlterhel\\u0151dhetnek ellen\\u0151rizetlen vagy irrelev\\xE1ns inform\\xE1ci\\xF3kkal. Egy t\\xFAlhajszolt IT csapat nem k\\xE9pes hat\\xE9konyan kezelni az \\xF6z\\xF6nl\\u0151 inform\\xE1ci\\xF3kat, \\xEDgy \\xE9rt\\xE9kes id\\u0151 \\xE9s er\\u0151forr\\xE1sok vesznek k\\xE1rba. \\xCDgy pedig elk\\xE9pzelhet\\u0151, hogy a k\\xEDv\\xFClr\\u0151l \\xE9rkez\\u0151, potenci\\xE1lisan kritikus s\\xE9r\\xFCl\\xE9kenys\\xE9gekkel kapcsolatos inform\\xE1ci\\xF3k is elvesznek a zajban.\"), mdx(\"p\", null, \"Csapatunk tavaly \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://blog.hckrt.com/blog/State-of-Vulnerability-Disclosure-Key-learnings-from-our-eBook/\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"\\xE1tfog\\xF3 felm\\xE9r\\xE9st k\\xE9sz\\xEDtett VDP t\\xE9m\\xE1ban\"), \". A kutat\\xE1sb\\xF3l kider\\xFClt, hogy a c\\xE9gekhez be\\xE9rkezett s\\xE9r\\xFCl\\xE9kenys\\xE9gi jelent\\xE9sek d\\xF6bbenetesen nagy r\\xE9sze, 80%-a spam volt. Ilyen mennyis\\xE9g\\u0171 spam jelent\\xE9s valid\\xE1l\\xE1sa rengeteg id\\u0151t \\xE9s er\\u0151fesz\\xEDt\\xE9st ig\\xE9nyel egy IT csapat r\\xE9sz\\xE9r\\u0151l.\"), mdx(\"h3\", {\n \"id\": \"megfelelőségi-problémák\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#megfelel%C5%91s%C3%A9gi-probl%C3%A9m%C3%A1k\",\n \"aria-label\": \"megfelelőségi problémák permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), mdx(\"strong\", {\n parentName: \"h3\"\n }, \"Megfelel\\u0151s\\xE9gi probl\\xE9m\\xE1k\")), mdx(\"p\", null, \"A VDP hi\\xE1nya komoly jogi \\xE9s \\xFCzleti kock\\xE1zatokkal j\\xE1r. Akik nem tartj\\xE1k be a kiberbiztons\\xE1gi el\\u0151\\xEDr\\xE1sokat, azokat s\\xFAlyos p\\xE9nz\\xFCgyi szankci\\xF3k \\xE9rhetik.\"), mdx(\"p\", null, \"\\xD6sszess\\xE9g\\xE9ben elmondhatjuk, hogy egy VDP n\\xE9lk\\xFCli v\\xE1llalat nagyobb val\\xF3sz\\xEDn\\u0171s\\xE9ggel v\\xE1lhat biztons\\xE1gi t\\xE1mad\\xE1sok c\\xE9lpontj\\xE1v\\xE1, ami jogi probl\\xE9m\\xE1khoz \\xE9s reput\\xE1ci\\xF3s k\\xE1rokhoz vezethet. A VDP hi\\xE1nya akad\\xE1lyozza a v\\xE1llalatot abban is, hogy er\\u0151s IT biztons\\xE1gi keretrendszert \\xE9p\\xEDtsen ki \\xE9s egy\\xFCttm\\u0171k\\xF6d\\u0151 kapcsolatot alak\\xEDtson ki a kiberbiztons\\xE1gi szakmai k\\xF6z\\xF6ss\\xE9ggel.\"), mdx(\"h2\", {\n \"id\": \"hogyan-néz-ki-egy-jól-megtervezett-vdp\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#hogyan-n%C3%A9z-ki-egy-j%C3%B3l-megtervezett-vdp\",\n \"aria-label\": \"hogyan néz ki egy jól megtervezett vdp permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Hogyan n\\xE9z ki egy j\\xF3l megtervezett VDP?\"), mdx(\"p\", null, \"Egy hat\\xE9kony VDP tiszta, egy\\xE9rtelm\\u0171 kommunik\\xE1ci\\xF3s csatorn\\xE1t biztos\\xEDt a k\\xFCls\\u0151 felek \\xE9s a v\\xE1llalat k\\xF6z\\xF6tt, r\\xE9szletesen ismertetve a sebezhet\\u0151s\\xE9gek bejelent\\xE9s\\xE9nek \\xE9s kezel\\xE9s\\xE9nek folyamat\\xE1t, bele\\xE9rtve a sz\\xFCks\\xE9ges inform\\xE1ci\\xF3kat \\xE9s az el\\xE9rhet\\u0151s\\xE9geket. Nemcsak a v\\xE1llalat elk\\xF6telezetts\\xE9g\\xE9t mutatja a kiberbiztons\\xE1g ir\\xE1nt, hanem jav\\xEDtja is a c\\xE9g h\\xEDrnev\\xE9t a partnerek \\xE9s \\xFCgyfelek szem\\xE9ben.\"), mdx(\"p\", null, \"A l\\xE9p\\xE9sr\\u0151l l\\xE9p\\xE9sre r\\xE9szletezett folyamat \\xE9s a hat\\xE1rid\\u0151k seg\\xEDtenek az etikus hackereknek, hogy k\\xF6nnyen \\xE9s biztons\\xE1gosan jelezhess\\xE9k a probl\\xE9m\\xE1kat. A rugalmass\\xE1g \\xE9s a folyamatos figyelem biztos\\xEDtja, hogy a VDP hossz\\xFA t\\xE1von is hat\\xE9konyan m\\u0171k\\xF6dj\\xF6n.\"), mdx(\"h3\", {\n \"id\": \"a-vdp-kulcsfontosságú-részei\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#a-vdp-kulcsfontoss%C3%A1g%C3%BA-r%C3%A9szei\",\n \"aria-label\": \"a vdp kulcsfontosságú részei permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"A VDP kulcsfontoss\\xE1g\\xFA r\\xE9szei:\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Kapcsolattart\\xE1si inform\\xE1ci\\xF3k:\"), \" Kihez fordulhatnak a jelent\\u0151k?\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Jelent\\xE9si folyamat:\"), \" Hogyan lehet a sebezhet\\u0151s\\xE9geket bejelenteni?\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Jelent\\xE9si form\\xE1tumok:\"), \" Milyen form\\xE1tumban v\\xE1rja a v\\xE1llalat a jelent\\xE9seket?\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"\\xC9rt\\xE9kel\\xE9si krit\\xE9riumok:\"), \" Milyen szempontok alapj\\xE1n \\xE9rt\\xE9keli a v\\xE1llalat a bejelentett sebezhet\\u0151s\\xE9geket?\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Jav\\xEDt\\xE1si folyamat:\"), \" Hogyan kommunik\\xE1lja a v\\xE1llalat a jav\\xEDt\\xE1si folyamatot? Milyen hat\\xE1rid\\u0151n bel\\xFCl kell jav\\xEDtani a sebezhet\\u0151s\\xE9geket?\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Kommunik\\xE1ci\\xF3:\"), \" Hogyan kommunik\\xE1l a v\\xE1llalat a jelent\\u0151vel a folyamat sor\\xE1n?\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"K\\xF6zz\\xE9t\\xE9teli ir\\xE1nyelvek:\"), \" Mikor \\xE9s hogyan teszi nyilv\\xE1noss\\xE1 a v\\xE1llalat a sebezhet\\u0151s\\xE9get \\xE9s a jav\\xEDt\\xE1st?\"))), mdx(\"h2\", {\n \"id\": \"a-vdp-folyamata-lépésről-lépésre\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#a-vdp-folyamata-l%C3%A9p%C3%A9sr%C5%91l-l%C3%A9p%C3%A9sre\",\n \"aria-label\": \"a vdp folyamata lépésről lépésre permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"A VDP folyamata, l\\xE9p\\xE9sr\\u0151l l\\xE9p\\xE9sre\"), mdx(\"h3\", {\n \"id\": \"1-lépés-keretrendszer-kialakítása\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#1-l%C3%A9p%C3%A9s-keretrendszer-kialak%C3%ADt%C3%A1sa\",\n \"aria-label\": \"1 lépés keretrendszer kialakítása permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"1. l\\xE9p\\xE9s: Keretrendszer kialak\\xEDt\\xE1sa\"), mdx(\"p\", null, \"Seg\\xEDt\\xFCnk meghat\\xE1rozni a VDP tartalm\\xE1t, \\xFAgy, hogy jogi v\\xE9delmet biztos\\xEDtson a v\\xE1llalat sz\\xE1m\\xE1ra \\xE9s azok sz\\xE1m\\xE1ra is, akik a sebezhet\\u0151s\\xE9geket az el\\u0151\\xEDrt m\\xF3don jelentik be.\"), mdx(\"h3\", {\n \"id\": \"2-lépés-sebezhetőségi-bejelentő-űrlap-létrehozása\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#2-l%C3%A9p%C3%A9s-sebezhet%C5%91s%C3%A9gi-bejelent%C5%91-%C5%B1rlap-l%C3%A9trehoz%C3%A1sa\",\n \"aria-label\": \"2 lépés sebezhetőségi bejelentő űrlap létrehozása permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"2. l\\xE9p\\xE9s: Sebezhet\\u0151s\\xE9gi bejelent\\u0151 \\u0171rlap l\\xE9trehoz\\xE1sa\"), mdx(\"p\", null, \"Csapatunk seg\\xEDt a sebezhet\\u0151s\\xE9gi bejelent\\u0151 \\u0171rlap be\\xE1gyaz\\xE1s\\xE1ban a c\\xE9g weboldal\\xE1ra. Fontos egy\\xE9rtelm\\u0171en jelezni, hogy az akt\\xEDv biztons\\xE1gi tesztel\\xE9s nem enged\\xE9lyezett a VDP folyamatban.\"), mdx(\"p\", null, mdx(\"span\", {\n parentName: \"p\",\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"1390px\"\n }\n }, \"\\n \", mdx(\"span\", {\n parentName: \"span\",\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"67.29166666666666%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAACHVAAAh1QEEnLSdAAAC3klEQVQ4y5XTyU8TYRjHce5GY0gVEYWguKIRY5RowiZFMCio/4FxOSihtHSGKUpLJSqEUDx6UKInlyhw8aKJCS7QytK9hQP7ohcuLLO0M7/XZ2gRws1JvvPOHOaT553MpAjZASYc9sN6wIuO6ig+v5jGp+cT+Pp6Ht/e/EHf29/oe0e9X0DfB6qb6qF6F/CldxaPbg3CUvlT4671M2t1/1yKkBWE7VAA5gwvXtWMQ2USE2MrTGUKY3QGi6+tiTS2+ZDovqPeh7qKHxp/fQ2cTRH2E3gwCHO6Dy/vjmN5dYUtLi5jeUWBLMUhSTGIYmxtleheUVQosgpZL6bCZfbBVPFd46+tgxkh2LIJTPOh6844xJjMVsU4E2WNIlCOMVHaSIlpetCLxTXWWeffAqaH0JgZgtngR9ftCQIltrIqIx7XEFc1tp7+cAJTmUxTygpdx1XWWUtg+aYt29LCaNwXhiWVwFsJUN+eouhTqP9KIJtLgjUElv3YmNC2K4LGvQTuDKDr5iSWRIktLenvToUkqol1S+L6NcGuewGYSn9qfNVAEjQQuCcCy/YgXt+eAvvP49n9IEzF/Rp/hcCq5IS23RHwqSG05Y+h1z6H3qY59Nhn0e2YQY9zBt2PqMfT6H5CtU6hp51yTeKjawLNN4ZRf3FA4y67GVc5kAAFwwZq2uZH7Q76tgw+WDN9sGR5UZ8zAvOhYZiPDcFycgi1xz2oOeFGTd4ArAUe8EaPxl1yM+vlJEgxwRDGw4wonEdG0Xw0gpa8KNpLxtBaFEWbMYqnxjBaK8JouxqG0+iHvdSLpksjEEoGwRUTaPQwrtw9o4MsMWWYPUiPwJkzipbcUThzo3DkhuE4RZ0OwXE2CHt+APYLATiK/GgmtInQhsIhcIW/NO4igWXuBR2cT6KaPuVa9CkJe0MQMoOgfx1Cjh/CET8ajvvQcNILPm8E/Jlh8OcIOz8IvmBQ5Yp/Ma7U4/kLFzIP0262cSIAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n }), \"\\n \", mdx(\"picture\", {\n parentName: \"span\"\n }, \"\\n \", mdx(\"source\", {\n parentName: \"picture\",\n \"srcSet\": [\"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/42669/Publish-our-VDP-form.webp 480w\", \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/10c02/Publish-our-VDP-form.webp 960w\", \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/d5054/Publish-our-VDP-form.webp 1390w\"],\n \"sizes\": \"(max-width: 1390px) 100vw, 1390px\",\n \"type\": \"image/webp\"\n }), \"\\n \", mdx(\"source\", {\n parentName: \"picture\",\n \"srcSet\": [\"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/ab158/Publish-our-VDP-form.png 480w\", \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/7d769/Publish-our-VDP-form.png 960w\", \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/f0baf/Publish-our-VDP-form.png 1390w\"],\n \"sizes\": \"(max-width: 1390px) 100vw, 1390px\",\n \"type\": \"image/png\"\n }), \"\\n \", mdx(\"img\", {\n parentName: \"picture\",\n \"className\": \"gatsby-resp-image-image\",\n \"src\": \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/f0baf/Publish-our-VDP-form.png\",\n \"alt\": \"Publish our VDP form\",\n \"title\": \"Publish our VDP form\",\n \"loading\": \"lazy\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n }\n }), \"\\n \"), \"\\n \")), mdx(\"h3\", {\n \"id\": \"3-lépés-ellenőrzött-jelentések-fogadása\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#3-l%C3%A9p%C3%A9s-ellen%C5%91rz%C3%B6tt-jelent%C3%A9sek-fogad%C3%A1sa\",\n \"aria-label\": \"3 lépés ellenőrzött jelentések fogadása permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"3. l\\xE9p\\xE9s: Ellen\\u0151rz\\xF6tt jelent\\xE9sek fogad\\xE1sa\"), mdx(\"p\", null, \"A Hackrate Ethical Hacking Platformon kereszt\\xFCl ellen\\u0151rizz\\xFCk (valid\\xE1ljuk) az \\xF6sszes be\\xE9rkez\\u0151 jelent\\xE9st, miel\\u0151tt tov\\xE1bb\\xEDtjuk a c\\xE9g IT csapat\\xE1nak.\"), mdx(\"h3\", {\n \"id\": \"4-lépés-a-sebezhetőségek-kezelése\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#4-l%C3%A9p%C3%A9s-a-sebezhet%C5%91s%C3%A9gek-kezel%C3%A9se\",\n \"aria-label\": \"4 lépés a sebezhetőségek kezelése permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"4. l\\xE9p\\xE9s: A sebezhet\\u0151s\\xE9gek kezel\\xE9se\"), mdx(\"p\", null, \"Az utols\\xF3 l\\xE9p\\xE9s a bejelentett sebezhet\\u0151s\\xE9gek menedzsel\\xE9se \\xE9s jav\\xEDt\\xE1sa. A folyamat sor\\xE1n a Hackrate csapata seg\\xEDt a c\\xE9g \\xE9s az etikus hackerek k\\xF6z\\xF6tti kommunik\\xE1ci\\xF3ban is.\"), mdx(\"p\", null, mdx(\"span\", {\n parentName: \"p\",\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"1390px\"\n }\n }, \"\\n \", mdx(\"span\", {\n parentName: \"span\",\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"67.29166666666666%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAACHVAAAh1QEEnLSdAAADSklEQVQ4y03Ty28TVxQG8PwNKCFt6ROERGWQVWigCQ0lDwi0aYuKxFPdsmBBRZyZ2MF2wEpIyq4bNk0J3XTfVF1UlaJWauPYSWt7xjMOEFBkwiNtTOyx5z3zHY6dIMXSp6sZaX7znTvXTeGdEom7coh9IOPO5fu4fSmDyW8W8ePQI9wNP8Td4SVMRR9gKn4fd0buYfJ6AT8kCpgcVfH9zQK+i+QgfjXrD34xS8KXsytN4XdlDL0j4drBHK7c+hNnb/xGf0grZHs6/V9ep7JeJc3UqWLUyHRtAhF55JMLnxy+WiqWEL0w54c+/5uEU7OPm8Jvy4hwhGAGbV9P442z0/TT70tYffYESw+LWCuto1KpolLWoGk12JYNduB7gMv4g6KG6MWt4Jt5RDhiMIfuKzN4//IMTSdXALOCmmE1AE3ToRkODMuBptuo6ibphg3TB91brnHD1BbwdQY54j4Jx4S/sC+UpF/Tz4jsMlmWQ45pUqVqUMnwULN9vOB1bZ23gV9CPPpysYzo+a1gq4JIK4N7ZXwWTaPjepZ+Tq8CnguDAdNyYdkeXNeHzs1sxyWPx3Ucn3cR9LyoI34u7Yf6X4HbVURaFAwF8jh+Q0IwsUi/ZEu8QQYs14MP8IONb4GqYaDObP7q96j03EL8zLwf+vQV2MLgNgXDARWXbi/jwtQqZqQKrEoNetWBZbiw6zE9Kq1V8d9qGabuNuK6Hj19VEPsNIMnGsfmcVOEwXCzgms7VNxsW8R4xyImOgu41VXAtz0qJnoVjPflMX5Sxng/55SEidM5TJzhnM9i7FwGYl/KHzyRJKE/yQ2b6yNvoOK2PIRmGYOtEgZe4wP7Xg7x/TLibRLi7RKi7VmEggu4GpzH1QNpDBxKYeDjFISelC8cn6PBk8nNhi0q1dfIdm76lopEoIBEsIDRtgLGDqsY61QwdlTBaE8eiW4JI105jPRmET6yAPFIGmIXg70pEvrminVwA+O10bZVZVRBdJeCkYCC+N48YkEZsf3c8EMJsY9yGD6UQaT9X4jtCxAOz0P8JO0L3Qwem3taB59sov7G6BxuWj+f4g4ZIv8txZ08/u4sxD0ZCAGGgpwD/0A8yA07GOyc94SjaeLRUy8BE6X8B8wB61EAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n }), \"\\n \", mdx(\"picture\", {\n parentName: \"span\"\n }, \"\\n \", mdx(\"source\", {\n parentName: \"picture\",\n \"srcSet\": [\"/static/30141abbb551d14901a80ed22ae3fd36/42669/Receive-validated-reports.webp 480w\", \"/static/30141abbb551d14901a80ed22ae3fd36/10c02/Receive-validated-reports.webp 960w\", \"/static/30141abbb551d14901a80ed22ae3fd36/d5054/Receive-validated-reports.webp 1390w\"],\n \"sizes\": \"(max-width: 1390px) 100vw, 1390px\",\n \"type\": \"image/webp\"\n }), \"\\n \", mdx(\"source\", {\n parentName: \"picture\",\n \"srcSet\": [\"/static/30141abbb551d14901a80ed22ae3fd36/ab158/Receive-validated-reports.png 480w\", \"/static/30141abbb551d14901a80ed22ae3fd36/7d769/Receive-validated-reports.png 960w\", \"/static/30141abbb551d14901a80ed22ae3fd36/f0baf/Receive-validated-reports.png 1390w\"],\n \"sizes\": \"(max-width: 1390px) 100vw, 1390px\",\n \"type\": \"image/png\"\n }), \"\\n \", mdx(\"img\", {\n parentName: \"picture\",\n \"className\": \"gatsby-resp-image-image\",\n \"src\": \"/static/30141abbb551d14901a80ed22ae3fd36/f0baf/Receive-validated-reports.png\",\n \"alt\": \"Receive validated reports\",\n \"title\": \"Receive validated reports\",\n \"loading\": \"lazy\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n }\n }), \"\\n \"), \"\\n \")), mdx(\"h2\", {\n \"id\": \"miért-tanácsos-a-vdp-t-kiberbiztonságban-jártas-partnerrel-együttműködve-kialakítani\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#mi%C3%A9rt-tan%C3%A1csos-a-vdp-t-kiberbiztons%C3%A1gban-j%C3%A1rtas-partnerrel-egy%C3%BCttm%C5%B1k%C3%B6dve-kialak%C3%ADtani\",\n \"aria-label\": \"miért tanácsos a vdp t kiberbiztonságban jártas partnerrel együttműködve kialakítani permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Mi\\xE9rt tan\\xE1csos a VDP-t kiberbiztons\\xE1gban j\\xE1rtas partnerrel egy\\xFCttm\\u0171k\\xF6dve kialak\\xEDtani?\"), mdx(\"p\", null, \"A VDP bevezet\\xE9se \\xE9s \\xFCzemeltet\\xE9se komplex feladat, rengeteg kih\\xEDv\\xE1ssal. Egy tapasztalt, VDP-ben j\\xE1rtas kiberbiztons\\xE1gi c\\xE9ggel l\\xE9trehozott partners\\xE9g sz\\xE1mos el\\u0151nnyel j\\xE1r.\"), mdx(\"h3\", {\n \"id\": \"szakértői-tudás-és-tapasztalat\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#szak%C3%A9rt%C5%91i-tud%C3%A1s-%C3%A9s-tapasztalat\",\n \"aria-label\": \"szakértői tudás és tapasztalat permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Szak\\xE9rt\\u0151i tud\\xE1s \\xE9s tapasztalat\"), mdx(\"p\", null, \"Egy VDP-ben tapasztalt csapat rendelkezik a sz\\xFCks\\xE9ges szaktud\\xE1ssal ahhoz, hogy egy hat\\xE9kony \\xE9s megb\\xEDzhat\\xF3 keretrendszert hozzon l\\xE9tre \\xE9s hossz\\xFA t\\xE1von is fenntartson.\"), mdx(\"h3\", {\n \"id\": \"folyamatos-figyelem\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#folyamatos-figyelem\",\n \"aria-label\": \"folyamatos figyelem permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Folyamatos figyelem\"), mdx(\"p\", null, \"A be\\xE9rkez\\u0151 jelent\\xE9sek folyamatos figyel\\xE9se \\xE9s kezel\\xE9se id\\u0151ig\\xE9nyes feladat. Egy szak\\xE9rt\\u0151 csapat biztos\\xEDtani tudja, hogy minden jelent\\xE9s megkapja a sz\\xFCks\\xE9ges figyelmet, a c\\xE9g pedig id\\u0151ben tudjon reag\\xE1lni.\"), mdx(\"h3\", {\n \"id\": \"technikai-szakértelem\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#technikai-szak%C3%A9rtelem\",\n \"aria-label\": \"technikai szakértelem permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Technikai szak\\xE9rtelem\"), mdx(\"p\", null, \"A VDP-vel kapcsolatos feladatokhoz gyakran m\\xE9lyebb technikai ismeret sz\\xFCks\\xE9ges. Egy szak\\xE9rt\\u0151 csapat k\\xE9pes kezelni a komplex technikai k\\xE9rd\\xE9seket \\xE9s megtal\\xE1lni a megfelel\\u0151 megold\\xE1st.\"), mdx(\"h3\", {\n \"id\": \"folyamatok-optimalizálása\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#folyamatok-optimaliz%C3%A1l%C3%A1sa\",\n \"aria-label\": \"folyamatok optimalizálása permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Folyamatok optimaliz\\xE1l\\xE1sa\"), mdx(\"p\", null, \"A VDP-szak\\xE9rt\\u0151k seg\\xEDthetnek optimaliz\\xE1lni a jelent\\xE9sek kezel\\xE9s\\xE9nek folyamatait, cs\\xF6kkenteni a false positve (invalid) riaszt\\xE1sok sz\\xE1m\\xE1t \\xE9s n\\xF6velni a program hat\\xE9konys\\xE1g\\xE1t.\"), mdx(\"h3\", {\n \"id\": \"jogi-szakértelem\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#jogi-szak%C3%A9rtelem\",\n \"aria-label\": \"jogi szakértelem permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Jogi szak\\xE9rtelem\"), mdx(\"p\", null, \"A VDP-vel kapcsolatban jogi k\\xE9rd\\xE9sek is felmer\\xFClhetnek, k\\xFCl\\xF6n\\xF6sen a hackerek bejelent\\xE9seinek kezel\\xE9se sor\\xE1n. Egy kiberbiztons\\xE1gi jogszab\\xE1lyokban j\\xE1rtas csapat seg\\xEDthet kialak\\xEDtani a megfelel\\u0151 jogi keretrendszert \\xE9s biztos\\xEDtani a szab\\xE1lyoknak val\\xF3 megfelel\\xE9st.\"), mdx(\"h3\", {\n \"id\": \"strukturált-bejelentő-felület\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#struktur%C3%A1lt-bejelent%C5%91-fel%C3%BClet\",\n \"aria-label\": \"strukturált bejelentő felület permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Struktur\\xE1lt bejelent\\u0151 fel\\xFClet\"), mdx(\"p\", null, \"A szak\\xE9rt\\u0151 csapat k\\xE9pes olyan struktur\\xE1lt jelent\\xE9sbejelent\\u0151 fel\\xFCletet kialak\\xEDtani, amely megk\\xF6nny\\xEDti a jelent\\xE9sek kezel\\xE9s\\xE9t \\xE9s az invalid riaszt\\xE1sok sz\\u0171r\\xE9s\\xE9t.\"), mdx(\"p\", null, \"\\xD6sszefoglalva: Egy VDP-ben j\\xE1rtas c\\xE9ggel val\\xF3 egy\\xFCttm\\u0171k\\xF6d\\xE9s sz\\xE1mos el\\u0151nnyel j\\xE1r, bele\\xE9rtve a szak\\xE9rt\\u0151i tud\\xE1st, a folyamatok optimaliz\\xE1l\\xE1s\\xE1t, a jogi megfelel\\u0151s\\xE9get \\xE9s a biztons\\xE1gosabb k\\xF6rnyezet kialak\\xEDt\\xE1s\\xE1t. Ez\\xE1ltal a v\\xE1llalatok hat\\xE9konyabban kezelhetik a biztons\\xE1gi kock\\xE1zatokat \\xE9s v\\xE9dhetik meg \\xE9rt\\xE9kes adataikat.\"), mdx(\"h2\", {\n \"id\": \"miért-jó-befektetés-a-menedzselt-vdp\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#mi%C3%A9rt-j%C3%B3-befektet%C3%A9s-a-menedzselt-vdp\",\n \"aria-label\": \"miért jó befektetés a menedzselt vdp permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Mi\\xE9rt j\\xF3 befektet\\xE9s a menedzselt VDP?\"), mdx(\"p\", null, \"B\\xE1r egy menedzselt VDP program bevezet\\xE9se els\\u0151re kiad\\xE1snak t\\u0171nhet, hosszabb t\\xE1von k\\xF6lts\\xE9ghat\\xE9kony megold\\xE1s. A k\\xFCls\\u0151 szak\\xE9rt\\u0151k bevon\\xE1s\\xE1val nem csak a m\\u0171veletek hat\\xE9konys\\xE1ga n\\xF6vekszik \\xE9s a t\\xE9ves riaszt\\xE1sok sz\\xE1ma cs\\xF6kken, hanem a v\\xE1llalat bels\\u0151 er\\u0151forr\\xE1sai is jobban kihaszn\\xE1lhat\\xF3v\\xE1 v\\xE1lnak. Ennek eredm\\xE9nyek\\xE9ppen a c\\xE9g g\\xF6rd\\xFCl\\xE9kenyebben m\\u0171k\\xF6dik, \\xEDgy t\\xF6bb id\\u0151t \\xE9s energi\\xE1t ford\\xEDthat alapvet\\u0151 \\xFCzleti c\\xE9ljaira.\"), mdx(\"p\", null, \"A k\\xFCls\\u0151 partner gyorsas\\xE1ga, alkalmazkod\\xF3k\\xE9pess\\xE9ge \\xE9s m\\xE9lyrehat\\xF3 szak\\xE9rtelme garant\\xE1lja, hogy a v\\xE1llalat kiberbiztons\\xE1gi poz\\xEDci\\xF3ja mindig naprak\\xE9sz legyen, \\xE9s lehet\\u0151v\\xE9 teszi a k\\xF6lts\\xE9gek hossz\\xFAt\\xE1v\\xFA cs\\xF6kkent\\xE9s\\xE9t is.\"), mdx(\"h2\", {\n \"id\": \"hogyan-segíthetünk\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#hogyan-seg%C3%ADthet%C3%BCnk\",\n \"aria-label\": \"hogyan segíthetünk permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Hogyan seg\\xEDthet\\xFCnk?\"), mdx(\"p\", null, \"A Hackrate csapata t\\xF6bb \\xE9ves tapasztalattal rendelkezik a VDP ter\\xFClet\\xE9n, sz\\xE1mos nemzetk\\xF6zi referenci\\xE1val. Menedzselt VDP programunk seg\\xEDts\\xE9g\\xE9vel hat\\xE9konyan azonos\\xEDthatja \\xE9s kezelheti v\\xE1llalata sebezhet\\u0151s\\xE9geit, ezzel jelent\\u0151sen cs\\xF6kkentve a kiberbiztons\\xE1gi kock\\xE1zatokat.\"), mdx(\"p\", null, \"VDP-szolg\\xE1ltat\\xE1saink r\\xE9szleteir\\u0151l itt olvashat: \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://www.hckrt.com/Home/mVDP\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"Managed Vulnerability Disclosure\")), mdx(\"p\", null, \"VDP-vel \\xE9s kiberbiztons\\xE1gi megold\\xE1sokkal kapcsolatban keressen minket \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://www.hckrt.com/Home/Contact\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"itt\"), \" vagy \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"mailto:sales@hckrt.com\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"emailen\"), \" kereszt\\xFCl.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/A-VDP-szerepe-a-NIS-2-megfelelesben/","timeToRead":"7 min read","date":"September 02, 2024","dateString":"September 02, 2024","datePublishedSeoFormat":"2024-09-02","title":"A VDP szerepe a NIS 2 megfelelésben: Amit a sérülékenység közzétételi irányelvről tudni kell","excerpt":"Az előző cikkben bemutattuk a NIS 2 irányelv követelményeit és a magyar vállalatokra gyakorolt hatását. Ebben a posztban részletesen tárgyaljuk a sérülékenység közzétételi irányelvet (VDP), amely a NIS 2 egyik kulcsfontosságú eleme. Megvizsgáljuk, miért nem elegendő egy egyszerű email cím a sérülékenységek bejelentésére, és miért van szükség jól felépített, strukturált VDP-re a vállalatok kiberbiztonsági pozíciójának erősítésére.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACUklEQVQoz02TSXLaYBhEffkkgDCDmRGTkBASMmKebPAcZ+PKJax/EMXClQt0WiZJZfFKVSwe3epPF+6lgJsTcHIR+oUIvXKETo3PtkSnJ9F2FMyhQnMk0RhL1KYK1YVCea1Q2ikU9wr5O4Xco0L2WeFimBWY1hW27hFr74hVcMQyPFIo0O4KtGwJ01Vo+Ar1a4nqRKEyp2ylcLVVKNxSRmGWQuOFQtcQ8AsSowppKvhtBc9S6JiUdQSalkDdYbKhRCWQKIcSVzOJ4lIiv5HI3ZA7+SnMJMJBKoLHykFNwm9I2DUBmzKbdXt9gb7H38b8A2IyXWupYW40mjcajYNGJal7nySUf4TfIkxYeWlrTPsas6Fm5RjLeYzxRCOYaYwWGgNyfYgxeToiIP7LEe4rX833GHkKjX/CrxHCmsLYVAhaEgHrjjlCGFB2reGFZ+GQydwtuY3R38fo3cUwVpTsWJeVDVZOv8izcNJQWDDdwtUIBxpjj0/KwillJFjGGG1iOFx2uNfwH2PYDxQ/Mx1HMQ4UJ8JkZYfCAZceFHk6ZQGrKtBtCPQ4SMdKVhZcWXyeTY2j1DlIcy1RSrjhuyOZA2UPkkImdL68w87wBjlMj9IupfVihCrvscJ7LJsRSt0IBesdV55AMRDIhWQukF0JGKycYcL0g0LqSZ4Tumkm5No2B3KZ9u3pAz9fyY8PvP3l7Req/llYmJyFl+tEKJDeS6TuKWXtC5tChzKLdNPvsPjF7GYn7FYnbDcnbLbk9oQFKTFhIYiQ/y9hZpsIBVIcJk3pb/xRvPOJYulfAAAAAElFTkSuQmCC","aspectRatio":1.78397212543554,"src":"/static/8248144d80d3bef8ca997c82f595289b/5d2c5/A-VDP-szerepe-a-NIS-2-megfelelesben.png","srcSet":"/static/8248144d80d3bef8ca997c82f595289b/6ba37/A-VDP-szerepe-a-NIS-2-megfelelesben.png 512w,\n/static/8248144d80d3bef8ca997c82f595289b/5d2c5/A-VDP-szerepe-a-NIS-2-megfelelesben.png 1000w","srcWebp":"/static/8248144d80d3bef8ca997c82f595289b/36ebb/A-VDP-szerepe-a-NIS-2-megfelelesben.webp","srcSetWebp":"/static/8248144d80d3bef8ca997c82f595289b/e4e36/A-VDP-szerepe-a-NIS-2-megfelelesben.webp 512w,\n/static/8248144d80d3bef8ca997c82f595289b/36ebb/A-VDP-szerepe-a-NIS-2-megfelelesben.webp 1000w","sizes":"(max-width: 1000px) 100vw, 1000px"}},"commentId":"/blog/A-VDP-szerepe-a-NIS-2-megfelelesben/","tableOfContents":{"items":[{"url":"#miért-fontos-része-a-vdp-a-nis-2-rendeletnek","title":"Miért fontos része a VDP a NIS 2 rendeletnek?"},{"url":"#milyen-következményekkel-járhat-ha-egy-cég-elhanyagolja-a-vdp-t","title":"Milyen következményekkel járhat, ha egy cég elhanyagolja a VDP-t?","items":[{"url":"#rejtve-maradt-sebezhetőségek","title":"Rejtve maradt sebezhetőségek"},{"url":"#jogi-és-reputációs-kockázatok","title":"Jogi és reputációs kockázatok"},{"url":"#it-biztonsági-kockázat","title":"IT biztonsági kockázat"},{"url":"#megfelelőségi-problémák","title":"Megfelelőségi problémák"}]},{"url":"#hogyan-néz-ki-egy-jól-megtervezett-vdp","title":"Hogyan néz ki egy jól megtervezett VDP?","items":[{"url":"#a-vdp-kulcsfontosságú-részei","title":"A VDP kulcsfontosságú részei:"}]},{"url":"#a-vdp-folyamata-lépésről-lépésre","title":"A VDP folyamata, lépésről lépésre","items":[{"url":"#1-lépés-keretrendszer-kialakítása","title":"1. lépés: Keretrendszer kialakítása"},{"url":"#2-lépés-sebezhetőségi-bejelentő-űrlap-létrehozása","title":"2. lépés: Sebezhetőségi bejelentő űrlap létrehozása"},{"url":"#3-lépés-ellenőrzött-jelentések-fogadása","title":"3. lépés: Ellenőrzött jelentések fogadása"},{"url":"#4-lépés-a-sebezhetőségek-kezelése","title":"4. lépés: A sebezhetőségek kezelése"}]},{"url":"#miért-tanácsos-a-vdp-t-kiberbiztonságban-jártas-partnerrel-együttműködve-kialakítani","title":"Miért tanácsos a VDP-t kiberbiztonságban jártas partnerrel együttműködve kialakítani?","items":[{"url":"#szakértői-tudás-és-tapasztalat","title":"Szakértői tudás és tapasztalat"},{"url":"#folyamatos-figyelem","title":"Folyamatos figyelem"},{"url":"#technikai-szakértelem","title":"Technikai szakértelem"},{"url":"#folyamatok-optimalizálása","title":"Folyamatok optimalizálása"},{"url":"#jogi-szakértelem","title":"Jogi szakértelem"},{"url":"#strukturált-bejelentő-felület","title":"Strukturált bejelentő felület"}]},{"url":"#miért-jó-befektetés-a-menedzselt-vdp","title":"Miért jó befektetés a menedzselt VDP?"},{"url":"#hogyan-segíthetünk","title":"Hogyan segíthetünk?"}]},"lastModifiedTime":"2024-09-02T09:00:00.000Z","lastModifiedTimeString":"September 02, 2024"},{"id":"54f862db-7c65-59ab-ab6f-54a879fd462e","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n \"templateKey\": \"blog-post\",\n \"title\": \"Why choose managed Vulnerability Disclosure Programs (mVDP)?\",\n \"description\": \"Discover the importance of a well-structured Vulnerability Disclosure Policy (VDP) in the context of the NIS 2 Directive. Learn how VDPs enhance security, ensure legal compliance, boost reputation, and foster collaboration with the cybersecurity community.\",\n \"author\": \"Balazs Pozner\",\n \"authorURL\": \"https://twitter.com/hackrate\",\n \"date\": \"2024-08-30T09:00:00.000Z\",\n \"image\": \"/img/blog/Why-Choose-Managed-Vulnerability-Disclosure-Programs-(mVDP).png\",\n \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"p\", null, \"In our \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://blog.hckrt.com/blog/Navigating-the-NIS-2-directive--Key-takeaways/\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"previous article\"), \", we outlined the requirements listed in the NIS 2 Directive and their impact on companies. Today we\\u2019re going to dive into a critical aspect of NIS 2: the Vulnerability Disclosure Policy (VDP).\"), mdx(\"p\", null, \"What is a VDP? A Vulnerability Disclosure Policy (VDP) is an official document and structured process that details how a company receives, evaluates, and manages vulnerability reports from external cybersecurity experts. This process is vital to maintaining the security of your company\\u2019s digital infrastructure. In the industry, VDPs are also known as Coordinated Vulnerability Statements (CVDs) and Responsible Disclosure Programs (RDPs). These terms are often used interchangeably to refer to the same concept of managing and managing security vulnerabilities reported by third parties.\"), mdx(\"p\", null, \"The NIS 2 Directive requires the implementation of the VDP, depending on the implementation of the Member State. Some companies may question whether providing an email address is sufficient to report a vulnerability.\"), mdx(\"p\", null, \"In today\\u2019s increasingly digital landscape, a well-structured Vulnerability Disclosure Policy (VDP) is more than just a good practice\\u2014it\\u2019s a necessity for any organization committed to cybersecurity. A VDP establishes a clear framework for how companies receive, assess, and address vulnerability reports from external cybersecurity professionals. This structured approach not only ensures that potential security flaws are identified and mitigated efficiently, but it also strengthens the company\\u2019s overall security posture by proactively managing risks before they can be exploited.\"), mdx(\"p\", null, \"Beyond enhancing security, a VDP plays a crucial role in legal compliance. Many regulations, including the NIS 2 directive, require organizations to implement such policies to meet their obligations. By adhering to these legal frameworks, companies can avoid potential penalties and demonstrate their commitment to protecting sensitive data.\"), mdx(\"p\", null, \"Moreover, a well-executed VDP can significantly boost a company\\u2019s reputation. It signals to customers,partners, and the broader public that the organization takes security seriously and is transparent in its efforts to safeguard information. This transparency fosters trust and can be a key differentiator in a competitive market.\"), mdx(\"p\", null, \"Another critical aspect of a VDP is its role in fostering collaboration with the cybersecurity community. By encouraging third-party experts to responsibly report vulnerabilities, companies can tap into a vast pool of knowledge and expertise, further strengthening their defenses. This collaborative effort not only helps in identifying potential threats but also builds a positive relationship with the security community, which can be invaluable in the ongoing battle against cyber threats.\"), mdx(\"p\", null, \"In summary, a well-designed VDP is essential for any organization looking to enhance its security, comply with legal requirements, manage its reputation, and foster valuable relationships within the cybersecurity community.\"), mdx(\"p\", null, \"In this post, we\\u2019ll explain why just providing an email address isn\\u2019t enough, what the risks are with this approach, and why every company involved needs a comprehensive VDP program.\"), mdx(\"h1\", {\n \"id\": \"is-vdp-essential-part-of-the-nis-2-directive\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h1\",\n \"href\": \"#is-vdp-essential-part-of-the-nis-2-directive\",\n \"aria-label\": \"is vdp essential part of the nis 2 directive permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Is VDP essential part of the NIS 2 Directive?\"), mdx(\"p\", null, \"To ensure a company can promptly identify and manage security vulnerabilities, having an official reporting channel is essential. A well-developed VDP helps companies quickly recognize security gaps in their systems and fix them before cybercriminals can exploit them.\"), mdx(\"p\", null, \"Thus, VDP is not just a mandatory element of NIS 2 (depending on the implementation of the Member State) but a proactive tool to strengthen a company\\u2019s cybersecurity posture and reduce cybersecurity risks.\"), mdx(\"h1\", {\n \"id\": \"why-an-email-address-alone-isnt-enough\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h1\",\n \"href\": \"#why-an-email-address-alone-isnt-enough\",\n \"aria-label\": \"why an email address alone isnt enough permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Why an email address alone isn\\u2019t enough\"), mdx(\"p\", null, \"Last year, we carried out an \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://learn.hckrt.com/e-book-why-vulnerability-disclosure-policy-is-a-must-for-your-company\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"extensive survey\"), \" on Vulnerability Disclosure Programs (VDPs) and discovered a surprising trend: a staggering 80% of the reports submitted were classified as spam. This high volume of irrelevant submissions not only clutters the reporting process but also places a significant burden on our security teams. They are forced to invest considerable time and resources in sifting through these spam reports, validating each one to ensure that genuine vulnerabilities are not overlooked.\"), mdx(\"p\", null, \"The influx of spam reports highlights a key challenge in managing VDPs effectively. As organizations strive to maintain robust security, the need for more efficient filtering and validation mechanisms becomes increasingly apparent. By refining these processes, companies can reduce the strain on their teams and focus on addressing real security threats more swiftly.\"), mdx(\"p\", null, \"Moreover, addressing the issue of spam within VDPs is essential for maintaining the effectiveness of the program. Without proper management, the overwhelming volume of spam can dilute the value of the reports and potentially lead to critical vulnerabilities being missed. Therefore, it is crucial for organizations to implement advanced tools and strategies to filter out spam and streamline the vulnerability reporting process.\"), mdx(\"p\", null, \"In summary, while VDPs are vital for identifying and mitigating security risks, the challenge of managing spam reports underscores the need for continuous improvement in how these programs are administered. By enhancing the efficiency of report validation, organizations can better protect themselves against genuine threats and maintain the effectiveness of their VDPs.\"), mdx(\"p\", null, \"Choosing a Managed VDP has several key benefits. It provides legal protection for ethical hackers and creates a clear channel for them to report vulnerabilities. This method is expected to increase the number of reported vulnerabilities, ensuring they are quickly communicated and addressed. By using a managed VDP, we can make the validation process more efficient, improve our security measures, and create a legally compliant environment for reporting vulnerabilities.\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Lack of structure\"), \":The use of an email address for handling vulnerability reports often results in a lack of structured processes, leading to potential mismanagement. One major issue is the ambiguity surrounding who is responsible for reviewing the reports, which can cause significant delays and inefficiencies. Additionally, without a defined process, the response time to hackers regarding reported issues can vary greatly, leading to frustration and potential security risks. Addressing these concerns by implementing a clear and structured vulnerability disclosure process can ensure more efficient management and timely responses, ultimately enhancing the overall security posture of the organization.\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Security risks\"), \": Without a formal VDP, sensitive information might be mishandled, increasing the risk of data breaches.\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Compliance issues\"), \": Simply providing an email address may not meet the compliance requirements set by the NIS 2 Directive, ISO/IEC 29147: Vulnerability disclosure and ISO/IEC 30111: Vulnerability handling processes.\"))), mdx(\"h1\", {\n \"id\": \"importance-of-a-well-designed-vdp\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h1\",\n \"href\": \"#importance-of-a-well-designed-vdp\",\n \"aria-label\": \"importance of a well designed vdp permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Importance of a well-designed VDP\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Enhanced security\"), \": A structured VDP ensures that vulnerabilities are identified and addressed promptly, reducing the risk of exploitation.\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Trust building\"), \": Demonstrating a commitment to security through a VDP builds trust with customers and stakeholders.\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Regulatory compliance\"), \": A comprehensive VDP helps companies comply with legal and regulatory requirements, avoiding potential fines and penalties.\"))), mdx(\"p\", null, \"Implementing a robust VDP is not just about compliance; it is a critical component of a company\\u2019s overall cybersecurity strategy. By proactively managing vulnerabilities, companies can protect their assets, reputation, and customers. The NIS2 directive has underscored the importance of efficient vulnerability management. For cybersecurity experts and company leaders, a managed Vulnerability Disclosure Program (mVDP) offers numerous advantages over traditional VDPs.\"), mdx(\"h1\", {\n \"id\": \"consequences-of-neglecting-vulnerability-disclosure-policy\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h1\",\n \"href\": \"#consequences-of-neglecting-vulnerability-disclosure-policy\",\n \"aria-label\": \"consequences of neglecting vulnerability disclosure policy permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Consequences of neglecting Vulnerability Disclosure Policy\"), mdx(\"p\", null, \"Neglecting a Vulnerability Disclosure Policy (VDP) can expose an organization to significant risks, undermining its security and reputation. Without an official channel for ethical hackers to report security vulnerabilities, the discovery of these issues can be delayed, posing serious risks to system security. Hidden vulnerabilities become prime targets for cybercriminals, increasing the likelihood of exploitation.\"), mdx(\"p\", null, \"The absence of a VDP also brings substantial legal and reputational risks. If a vulnerability leads to data loss or other damages. Beyond legal consequences, public perception can suffer, especially if incidents are not handled transparently. The greatest loss, however, is the erosion of trust, as customers and partners may no longer believe in the company\\u2019s ability to protect valuable data.\"), mdx(\"p\", null, \"Furthermore, without well-structured processes for handling security reports, teams can become overwhelmed with unchecked or irrelevant information. An overburdened IT team cannot effectively manage the influx of information, leading to wasted time and resources. Consequently, critical vulnerability information from external sources may get lost in the noise, creating security blind spots.\"), mdx(\"p\", null, \"Compliance issues are another critical concern. The absence of a VDP poses serious legal and business risks. Companies that fail to comply with cybersecurity regulations may face severe financial penalties, further damaging their financial standing and market reputation.\"), mdx(\"p\", null, \"Overall, a company without a VDP is more likely to become a target for cyberattacks, leading to legal problems and reputational damage. The lack of a VDP also hinders the company\\u2019s ability to build a robust security system and foster collaborative relationships with the cybersecurity community. By implementing a comprehensive VDP, organizations can mitigate these risks, ensuring a more secure and trustworthy environment for their stakeholders.\"), mdx(\"h1\", {\n \"id\": \"how-to-set-up-your-managed-vdp\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h1\",\n \"href\": \"#how-to-set-up-your-managed-vdp\",\n \"aria-label\": \"how to set up your managed vdp permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"How to set up your managed VDP?\"), mdx(\"ol\", null, mdx(\"li\", {\n parentName: \"ol\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Framework development\"), \": We help define the VDP content to ensure legal protection for those who report vulnerabilities in the prescribed manner.\")), mdx(\"li\", {\n parentName: \"ol\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Using Hackrate vulnerability reporting form\"), \": Our team assists in embedding the vulnerability reporting form on the company\\u2019s website. It is important to clearly indicate that active security testing is not encouraged.\"))), mdx(\"p\", null, mdx(\"span\", {\n parentName: \"p\",\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"1390px\"\n }\n }, \"\\n \", mdx(\"span\", {\n parentName: \"span\",\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"67.29166666666666%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAACHVAAAh1QEEnLSdAAAC3klEQVQ4y5XTyU8TYRjHce5GY0gVEYWguKIRY5RowiZFMCio/4FxOSihtHSGKUpLJSqEUDx6UKInlyhw8aKJCS7QytK9hQP7ohcuLLO0M7/XZ2gRws1JvvPOHOaT553MpAjZASYc9sN6wIuO6ig+v5jGp+cT+Pp6Ht/e/EHf29/oe0e9X0DfB6qb6qF6F/CldxaPbg3CUvlT4671M2t1/1yKkBWE7VAA5gwvXtWMQ2USE2MrTGUKY3QGi6+tiTS2+ZDovqPeh7qKHxp/fQ2cTRH2E3gwCHO6Dy/vjmN5dYUtLi5jeUWBLMUhSTGIYmxtleheUVQosgpZL6bCZfbBVPFd46+tgxkh2LIJTPOh6844xJjMVsU4E2WNIlCOMVHaSIlpetCLxTXWWeffAqaH0JgZgtngR9ftCQIltrIqIx7XEFc1tp7+cAJTmUxTygpdx1XWWUtg+aYt29LCaNwXhiWVwFsJUN+eouhTqP9KIJtLgjUElv3YmNC2K4LGvQTuDKDr5iSWRIktLenvToUkqol1S+L6NcGuewGYSn9qfNVAEjQQuCcCy/YgXt+eAvvP49n9IEzF/Rp/hcCq5IS23RHwqSG05Y+h1z6H3qY59Nhn0e2YQY9zBt2PqMfT6H5CtU6hp51yTeKjawLNN4ZRf3FA4y67GVc5kAAFwwZq2uZH7Q76tgw+WDN9sGR5UZ8zAvOhYZiPDcFycgi1xz2oOeFGTd4ArAUe8EaPxl1yM+vlJEgxwRDGw4wonEdG0Xw0gpa8KNpLxtBaFEWbMYqnxjBaK8JouxqG0+iHvdSLpksjEEoGwRUTaPQwrtw9o4MsMWWYPUiPwJkzipbcUThzo3DkhuE4RZ0OwXE2CHt+APYLATiK/GgmtInQhsIhcIW/NO4igWXuBR2cT6KaPuVa9CkJe0MQMoOgfx1Cjh/CET8ajvvQcNILPm8E/Jlh8OcIOz8IvmBQ5Yp/Ma7U4/kLFzIP0262cSIAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n }), \"\\n \", mdx(\"picture\", {\n parentName: \"span\"\n }, \"\\n \", mdx(\"source\", {\n parentName: \"picture\",\n \"srcSet\": [\"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/42669/Publish-our-VDP-form.webp 480w\", \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/10c02/Publish-our-VDP-form.webp 960w\", \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/d5054/Publish-our-VDP-form.webp 1390w\"],\n \"sizes\": \"(max-width: 1390px) 100vw, 1390px\",\n \"type\": \"image/webp\"\n }), \"\\n \", mdx(\"source\", {\n parentName: \"picture\",\n \"srcSet\": [\"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/ab158/Publish-our-VDP-form.png 480w\", \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/7d769/Publish-our-VDP-form.png 960w\", \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/f0baf/Publish-our-VDP-form.png 1390w\"],\n \"sizes\": \"(max-width: 1390px) 100vw, 1390px\",\n \"type\": \"image/png\"\n }), \"\\n \", mdx(\"img\", {\n parentName: \"picture\",\n \"className\": \"gatsby-resp-image-image\",\n \"src\": \"/static/0ae88e7adff9e5a07b3bec7c3e22dcaa/f0baf/Publish-our-VDP-form.png\",\n \"alt\": \"Publish our VDP form\",\n \"title\": \"Publish our VDP form\",\n \"loading\": \"lazy\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n }\n }), \"\\n \"), \"\\n \")), mdx(\"ol\", {\n \"start\": 3\n }, mdx(\"li\", {\n parentName: \"ol\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Receiving validated reports\"), \": We validate all incoming reports through the platform before forwarding them to the company\\u2019s IT team.\")), mdx(\"p\", null, mdx(\"span\", {\n parentName: \"p\",\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"1390px\"\n }\n }, \"\\n \", mdx(\"span\", {\n parentName: \"span\",\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"67.29166666666666%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAACHVAAAh1QEEnLSdAAADSklEQVQ4y03Ty28TVxQG8PwNKCFt6ROERGWQVWigCQ0lDwi0aYuKxFPdsmBBRZyZ2MF2wEpIyq4bNk0J3XTfVF1UlaJWauPYSWt7xjMOEFBkwiNtTOyx5z3zHY6dIMXSp6sZaX7znTvXTeGdEom7coh9IOPO5fu4fSmDyW8W8ePQI9wNP8Td4SVMRR9gKn4fd0buYfJ6AT8kCpgcVfH9zQK+i+QgfjXrD34xS8KXsytN4XdlDL0j4drBHK7c+hNnb/xGf0grZHs6/V9ep7JeJc3UqWLUyHRtAhF55JMLnxy+WiqWEL0w54c+/5uEU7OPm8Jvy4hwhGAGbV9P442z0/TT70tYffYESw+LWCuto1KpolLWoGk12JYNduB7gMv4g6KG6MWt4Jt5RDhiMIfuKzN4//IMTSdXALOCmmE1AE3ToRkODMuBptuo6ibphg3TB91brnHD1BbwdQY54j4Jx4S/sC+UpF/Tz4jsMlmWQ45pUqVqUMnwULN9vOB1bZ23gV9CPPpysYzo+a1gq4JIK4N7ZXwWTaPjepZ+Tq8CnguDAdNyYdkeXNeHzs1sxyWPx3Ucn3cR9LyoI34u7Yf6X4HbVURaFAwF8jh+Q0IwsUi/ZEu8QQYs14MP8IONb4GqYaDObP7q96j03EL8zLwf+vQV2MLgNgXDARWXbi/jwtQqZqQKrEoNetWBZbiw6zE9Kq1V8d9qGabuNuK6Hj19VEPsNIMnGsfmcVOEwXCzgms7VNxsW8R4xyImOgu41VXAtz0qJnoVjPflMX5Sxng/55SEidM5TJzhnM9i7FwGYl/KHzyRJKE/yQ2b6yNvoOK2PIRmGYOtEgZe4wP7Xg7x/TLibRLi7RKi7VmEggu4GpzH1QNpDBxKYeDjFISelC8cn6PBk8nNhi0q1dfIdm76lopEoIBEsIDRtgLGDqsY61QwdlTBaE8eiW4JI105jPRmET6yAPFIGmIXg70pEvrminVwA+O10bZVZVRBdJeCkYCC+N48YkEZsf3c8EMJsY9yGD6UQaT9X4jtCxAOz0P8JO0L3Qwem3taB59sov7G6BxuWj+f4g4ZIv8txZ08/u4sxD0ZCAGGgpwD/0A8yA07GOyc94SjaeLRUy8BE6X8B8wB61EAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n }), \"\\n \", mdx(\"picture\", {\n parentName: \"span\"\n }, \"\\n \", mdx(\"source\", {\n parentName: \"picture\",\n \"srcSet\": [\"/static/30141abbb551d14901a80ed22ae3fd36/42669/Receive-validated-reports.webp 480w\", \"/static/30141abbb551d14901a80ed22ae3fd36/10c02/Receive-validated-reports.webp 960w\", \"/static/30141abbb551d14901a80ed22ae3fd36/d5054/Receive-validated-reports.webp 1390w\"],\n \"sizes\": \"(max-width: 1390px) 100vw, 1390px\",\n \"type\": \"image/webp\"\n }), \"\\n \", mdx(\"source\", {\n parentName: \"picture\",\n \"srcSet\": [\"/static/30141abbb551d14901a80ed22ae3fd36/ab158/Receive-validated-reports.png 480w\", \"/static/30141abbb551d14901a80ed22ae3fd36/7d769/Receive-validated-reports.png 960w\", \"/static/30141abbb551d14901a80ed22ae3fd36/f0baf/Receive-validated-reports.png 1390w\"],\n \"sizes\": \"(max-width: 1390px) 100vw, 1390px\",\n \"type\": \"image/png\"\n }), \"\\n \", mdx(\"img\", {\n parentName: \"picture\",\n \"className\": \"gatsby-resp-image-image\",\n \"src\": \"/static/30141abbb551d14901a80ed22ae3fd36/f0baf/Receive-validated-reports.png\",\n \"alt\": \"Receive validated reports\",\n \"title\": \"Receive validated reports\",\n \"loading\": \"lazy\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n }\n }), \"\\n \"), \"\\n \")), mdx(\"ol\", {\n \"start\": 4\n }, mdx(\"li\", {\n parentName: \"ol\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Managing vulnerabilities\"), \": The final step involves managing and fixing the reported vulnerabilities. Throughout the process, the Hackrate team facilitates communication between the company and ethical hackers.\")), mdx(\"h2\", {\n \"id\": \"partner-with-hackrate-for-vdp-implementation\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#partner-with-hackrate-for-vdp-implementation\",\n \"aria-label\": \"partner with hackrate for vdp implementation permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Partner with Hackrate for VDP implementation\"), mdx(\"p\", null, \"Partnering with us for the implementation of a Vulnerability Disclosure Program (VDP) is a strategic move that can significantly enhance your organization\\u2019s cybersecurity posture. Implementing and operating a VDP is a complex task fraught with numerous challenges, but collaborating with an experienced cybersecurity firm like Hackrate offers several key advantages.\"), mdx(\"p\", null, \"Firstly, Hackrate brings expert knowledge and extensive experience to the table. Our team, well-versed in VDPs, possesses the necessary expertise to create and maintain an effective and reliable framework over the long term. This ensures that your VDP is not only robust but also adaptable to evolving security threats.\"), mdx(\"p\", null, \"Continuous monitoring is another critical aspect. Monitoring and managing incoming reports can be time-consuming and overwhelming for internal teams. Hackrate\\u2019s expert team ensures that every report receives the necessary attention, allowing your company to respond promptly and efficiently to potential vulnerabilities.\"), mdx(\"p\", null, \"Technical expertise is crucial for handling VDP-related tasks, which often require deep technical knowledge. Our experienced team can manage complex technical issues and find appropriate solutions, ensuring that vulnerabilities are addressed effectively and efficiently.\"), mdx(\"p\", null, \"Process optimization is another area where Hackrate can make a significant impact. Our team can help streamline the processes for handling reports, reducing the number of false positives and increasing the program\\u2019s overall efficiency. This optimization not only saves time and resources but also ensures that critical vulnerabilities are not overlooked.\"), mdx(\"p\", null, \"Moreover, Hackrate can develop a structured reporting interface that simplifies report management and filters out false positives. This structured approach ensures that your IT team can focus on genuine threats, enhancing the overall effectiveness of your VDP.\"), mdx(\"p\", null, \"In summary, partnering with Hackrate for VDP implementation offers numerous benefits, including expert knowledge, continuous monitoring, technical expertise, process optimization, legal compliance, and a structured reporting interface. This collaboration enables your company to manage security risks more effectively, protect valuable data, and foster a safer environment for your stakeholders. By leveraging Hackrate\\u2019s expertise, you can build a robust security system.\"), mdx(\"h1\", {\n \"id\": \"how-can-we-help\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h1\",\n \"href\": \"#how-can-we-help\",\n \"aria-label\": \"how can we help permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"How can we help?\"), mdx(\"p\", null, \"The Hackrate team boasts years of experience in the field of Vulnerability Disclosure Programs, with numerous international references. Our managed VDP program enables you to effectively identify and address your company\\u2019s vulnerabilities, significantly reducing cybersecurity risks.\"), mdx(\"p\", null, \"For detailed information about our VDP services, visit: \", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"https://www.hckrt.com/Home/mVDP\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"Managed Vulnerability Disclosure.\")), mdx(\"p\", null, \"For inquiries about VDP and cybersecurity solutions, reach out to us here or via email (\", mdx(\"a\", {\n parentName: \"p\",\n \"href\": \"mailto:sales@hckrt.com\",\n \"target\": \"_blank\",\n \"rel\": \"nofollow noopener\"\n }, \"sales@hckrt.com\"), \").\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Why-Choose-Managed-Vulnerability-Disclosure-Programs-(mVDP)/","timeToRead":"10 min read","date":"August 30, 2024","dateString":"August 30, 2024","datePublishedSeoFormat":"2024-08-30","title":"Why choose managed Vulnerability Disclosure Programs (mVDP)?","excerpt":"Discover the importance of a well-structured Vulnerability Disclosure Policy (VDP) in the context of the NIS 2 Directive. Learn how VDPs enhance security, ensure legal compliance, boost reputation, and foster collaboration with the cybersecurity community.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACtklEQVQozzWTS29bVRSF/bOQkJD4BQwYISYgQAwKEhXqBAmJRx+J7bh27dhJ3PgR2zd+xXbs2HH6SuI0tBGhLe8OEEX4nnOujVELldrhx3IrBkvn6Ay+u/Za+4a8JYMXM5RjPhtxn0LKJ5fRuW7JFSzrZUd207FWt6xuWTIdR7pnSQ0cV4aWy3s+sZuG2KEjeuQIbUYNnRXH0JsyqE7pN6bstKYCGtbzhqsly5rnWK05Mk1Lum1Z7grWF/TGX2RPnpM8fkz0wBK5LaAXMdTilkZayjpqOanoyGUFyxmyRcNqRc6qUtOxLGByW/fBhAubP/LmJ0t8mhmSOJ4RPrKEKgs+nlx6CUMpobHThsKKeTFyXrBcReBNS7Yhd3KYaslhL+Dz/YBX3vqA1197lTcurbD04BnhwzGh8kWfrWXLwJvQLjjalYDtRkCjFrDVDmh2A9rDCdVBQFrQpIAZvb13MuHt9QqHhyM+Pv6ZL0//ITryBbzgU0tYOhq1JWDHE0CwuoqoNwOqLcF3AmoC5nuOxJYh3bGc+eEZH/2ij3//Kx/+9pSvTv4mMjKESuflUPn1NgK6c3dVuVIJzbru3Qmd/oSN5ryUeYaGpIBXWmPO3nWcG90nfO02798b8/WRITJvee6wogyrGrt+1VJetZSUXzGvU2UUVcaaclyWkjWjDB2R+kPevf8n0bsPuHj9iHd+Mpy59ZDIgZkDx5TCKkP7WIirhJRhReWktY8p7WNyTcr7JDbGL4BJFRNrP+KLOxPOH/zOwugR576d8tnBHyzs+y9L8RYN87ZLl142/t3oCfe+ke484fR/nf5LWsBEwxDX6sQ7hqUd7d6uJXpN4+47FrXcoZKAZcGKUn5xTFF/zN72jL3+jOHujN2hdH1GT0pWBWv4XG4J1jVE+4bwnmHhhnTLsLhv+Q/EtLPnJ7XbVQAAAABJRU5ErkJggg==","aspectRatio":1.78397212543554,"src":"/static/1c425e4cb3282dc652d58301b7619c70/5d2c5/Why-Choose-Managed-Vulnerability-Disclosure-Programs-(mVDP).png","srcSet":"/static/1c425e4cb3282dc652d58301b7619c70/6ba37/Why-Choose-Managed-Vulnerability-Disclosure-Programs-(mVDP).png 512w,\n/static/1c425e4cb3282dc652d58301b7619c70/5d2c5/Why-Choose-Managed-Vulnerability-Disclosure-Programs-(mVDP).png 1000w","srcWebp":"/static/1c425e4cb3282dc652d58301b7619c70/36ebb/Why-Choose-Managed-Vulnerability-Disclosure-Programs-(mVDP).webp","srcSetWebp":"/static/1c425e4cb3282dc652d58301b7619c70/e4e36/Why-Choose-Managed-Vulnerability-Disclosure-Programs-(mVDP).webp 512w,\n/static/1c425e4cb3282dc652d58301b7619c70/36ebb/Why-Choose-Managed-Vulnerability-Disclosure-Programs-(mVDP).webp 1000w","sizes":"(max-width: 1000px) 100vw, 1000px"}},"commentId":"/blog/Why-Choose-Managed-Vulnerability-Disclosure-Programs-(mVDP)/","tableOfContents":{"items":[{"url":"#is-vdp-essential-part-of-the-nis-2-directive","title":"Is VDP essential part of the NIS 2 Directive?"},{"url":"#why-an-email-address-alone-isnt-enough","title":"Why an email address alone isn’t enough"},{"url":"#importance-of-a-well-designed-vdp","title":"Importance of a well-designed VDP"},{"url":"#consequences-of-neglecting-vulnerability-disclosure-policy","title":"Consequences of neglecting Vulnerability Disclosure Policy"},{"url":"#how-to-set-up-your-managed-vdp","title":"How to set up your managed VDP?","items":[{"url":"#partner-with-hackrate-for-vdp-implementation","title":"Partner with Hackrate for VDP implementation"}]},{"url":"#how-can-we-help","title":"How can we help?"}]},"lastModifiedTime":"2024-08-30T09:00:00.000Z","lastModifiedTimeString":"August 30, 2024"}],"previous":{"id":"af9be85a-bfb6-57fa-957c-10d3c131ae59","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n \"templateKey\": \"blog-post\",\n \"title\": \"ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement\",\n \"description\": \"ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.\",\n \"author\": \"Balazs Pozner\",\n \"authorURL\": \"https://twitter.com/hackrate\",\n \"date\": \"2026-01-26T09:00:00.000Z\",\n \"image\": \"/img/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png\",\n \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, _excluded);\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"p\", null, \"ENISA\\u2019s NIS2 technical implementation guidance treats vulnerability handling and disclosure as a distinct control area (6.10), separate from security testing (6.5) and security patch management (6.6). The practical implication is that organizations should be able to evidence an end to end vulnerability handling process that includes external intake, internal triage, remediation linkage, and disclosure handling aligned to applicable national coordinated vulnerability disclosure policy.\"), mdx(\"p\", null, \"A vulnerability disclosure policy (VDP) is not sufficient on its own. What matters is a VDP backed by an operating workflow with records that demonstrate 6.10 is implemented.\"), mdx(\"h2\", {\n \"id\": \"what-enisa-separates-in-practice\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#what-enisa-separates-in-practice\",\n \"aria-label\": \"what enisa separates in practice permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"What ENISA separates in practice\"), mdx(\"p\", null, \"For implementation purposes, three activities that are often blended in day to day security operations should be evidenced distinctly:\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Security testing (6.5):\"), \" planned assessments with defined scope, methodology and reporting.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Security patch management (6.6):\"), \" remediation planning, patch deployment and operational confirmation of fixes.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Vulnerability handling and disclosure (6.10):\"), \" obtaining vulnerability information, assessing exposure, addressing critical vulnerabilities without undue delay, integrating handling with other management processes and maintaining a disclosure procedure aligned to coordinated vulnerability disclosure policy.\")), mdx(\"p\", null, \"The key point is not organizational structure. It is evidence. Assessors will look for control specific artefacts and records that demonstrate 6.10 is implemented, repeatable and used.\"), mdx(\"h2\", {\n \"id\": \"minimum-viable-vdp-that-can-be-evidenced\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#minimum-viable-vdp-that-can-be-evidenced\",\n \"aria-label\": \"minimum viable vdp that can be evidenced permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Minimum viable VDP that can be evidenced\"), mdx(\"p\", null, \"A VDP that stands up to scrutiny is a policy plus a workflow plus records. At minimum, the policy should define reporting channels, scope and safe harbor, triage targets, severity assessment, remediation and disclosure handling.\"), mdx(\"h3\", {\n \"id\": \"public-reporting-channels\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#public-reporting-channels\",\n \"aria-label\": \"public reporting channels permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Public reporting channels\"), mdx(\"p\", null, \"Provide a dedicated security contact and a stable reporting mechanism that remains valid over time. Make the reporting channel discoverable from the organization\\u2019s domain, commonly via \", mdx(\"inlineCode\", {\n parentName: \"p\"\n }, \"/.well-known/security.txt\"), \", and offer an option for encrypted communication, such as a published PGP key.\"), mdx(\"h3\", {\n \"id\": \"scope-and-safe-harbor\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#scope-and-safe-harbor\",\n \"aria-label\": \"scope and safe harbor permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Scope and safe harbor\"), mdx(\"p\", null, \"Define which systems are in scope, which are excluded, and what testing behavior is allowed. State prohibited activities explicitly, including denial of service, social engineering, and physical intrusion. Include a good faith safe harbor statement.\"), mdx(\"h3\", {\n \"id\": \"triage-and-response-targets\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#triage-and-response-targets\",\n \"aria-label\": \"triage and response targets permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Triage and response targets\"), mdx(\"p\", null, \"Define measurable targets that you can meet and audit. For example, acknowledge receipt within 2 business days, provide an initial triage outcome within 7 business days, and define remediation targets by severity.\"), mdx(\"h3\", {\n \"id\": \"severity-and-prioritization-method\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#severity-and-prioritization-method\",\n \"aria-label\": \"severity and prioritization method permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Severity and prioritization method\"), mdx(\"p\", null, \"Use a consistent scoring approach (such as CVSS v3.1 or v4.0), and document what inputs drive the score in your environment.\"), mdx(\"h3\", {\n \"id\": \"remediation-linkage-and-verification\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h3\",\n \"href\": \"#remediation-linkage-and-verification\",\n \"aria-label\": \"remediation linkage and verification permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Remediation linkage and verification\"), mdx(\"p\", null, \"Every accepted report should map to an internal tracking ticket with an accountable owner, fix target and status. Closure should require verification evidence, such as retest notes, fixed version identifiers, and deployment confirmation, not only a developer comment stating \\u201Cresolved.\\u201D If a report is closed as \\u201Cwon\\u2019t fix,\\u201D require a recorded rationale and approval.\"), mdx(\"h2\", {\n \"id\": \"workflow-design-that-prevents-predictable-failure-modes\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#workflow-design-that-prevents-predictable-failure-modes\",\n \"aria-label\": \"workflow design that prevents predictable failure modes permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Workflow design that prevents predictable failure modes\"), mdx(\"p\", null, \"A disclosure workflow fails in repeatable ways. A workable design reduces noise, enforces reproducibility, assigns accountable ownership, and produces evidence that can survive assessment.\"), mdx(\"p\", null, \"Filtering should remove reports that cannot be actioned. Define reject criteria for out of scope targets, missing reproduction steps, unclear impact, and non actionable scanner output. Deduplication should be based on root cause and exploit path, not URL variations, and should preserve credit attribution when multiple reporters converge on the same issue.\"), mdx(\"p\", null, \"Route every accepted report through a tracked system, not email forwarding. Require structured fields that allow audits and reporting, including asset and environment, severity and rationale, accountable owner, due date, fix version, deployment evidence, and a disclosure status log. Avoid \\u201Cshared inbox only\\u201D ownership models, because they produce gaps when staffing changes and make SLAs non verifiable.\"), mdx(\"h2\", {\n \"id\": \"self-managed-vdp-risks-and-controls\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#self-managed-vdp-risks-and-controls\",\n \"aria-label\": \"self managed vdp risks and controls permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"Self managed VDP risks and controls\"), mdx(\"p\", null, \"A self managed VDP can work, but only if it is resourced, measurable and enforced. Common failure modes and controls include:\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"High noise volume:\"), \" enforce submission requirements, reject non reproducible reports, and implement deduplication based on root cause.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Inconsistent triage decisions:\"), \" publish acceptance criteria and apply a standard reproduction and severity checklist.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Misrouting and delays:\"), \" require a single owned intake channel, tracked case management, and named owners.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Communication gaps:\"), \" use templated acknowledgements, scheduled status updates and defined escalation triggers.\"), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"strong\", {\n parentName: \"li\"\n }, \"Evidence gaps:\"), \" retain timestamps, decisions, remediation linkage, and verification artefacts so cases can be reconstructed during assessment.\")), mdx(\"h2\", {\n \"id\": \"when-hackrate-managed-vdp-is-justified\",\n \"style\": {\n \"position\": \"relative\"\n }\n }, mdx(\"a\", {\n parentName: \"h2\",\n \"href\": \"#when-hackrate-managed-vdp-is-justified\",\n \"aria-label\": \"when hackrate managed vdp is justified permalink\",\n \"className\": \"anchor before\"\n }, mdx(\"svg\", {\n parentName: \"a\",\n \"aria-hidden\": \"true\",\n \"focusable\": \"false\",\n \"height\": \"16\",\n \"version\": \"1.1\",\n \"viewBox\": \"0 0 16 16\",\n \"width\": \"16\"\n }, mdx(\"path\", {\n parentName: \"svg\",\n \"fillRule\": \"evenodd\",\n \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n }))), \"When Hackrate managed VDP is justified\"), mdx(\"p\", null, \"For many organizations, the hardest part of 6.10 is not writing a policy. It is operating the intake and triage loop reliably at volume with complete records.\"), mdx(\"p\", null, \"Hackrate provides the Hackrate Ethical Hacking platform to manage vulnerability submissions through a structured intake channel with case tracking and an auditable record of actions and communications. We help validate reported issues, including reproduction and impact clarification, so your internal teams receive actionable findings rather than unfiltered inbox traffic. We also handle communication with ethical hackers, including acknowledgements, clarification requests, and status updates, so timelines remain predictable and interactions remain consistent.\"), mdx(\"p\", null, \"Hackrate also provides the legal and operational documents required to run a VDP, so teams do not need to draft them from scratch. This includes VDP policy language, scope and safe harbor terms, disclosure rules, and program terms that can be adapted to your environment.\"), mdx(\"p\", null, \"In this model, your organization retains decision rights for risk acceptance, remediation prioritization, and deployment approval. Hackrate focuses on managed intake, validation support, and communications, plus a complete evidence trail that connects submissions to triage outcomes and remediation status.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement/","timeToRead":"5 min read","date":"January 26, 2026","dateString":"January 26, 2026","datePublishedSeoFormat":"2026-01-26","title":"ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement","excerpt":"ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAACxklEQVQoz0WSS28bVRiG8wv4AWwRICSQumSBQIIdYtMlVGxQBSi0ufg+9ow9nrh2HN9iO77Vdu4lagLqAiQuIp44cTye8Yzjhl4oO1T4HQ9fHAkWj863OHr0nfO+cynfCSvLJsnlHkmf4Jc5YJJS+qTUUwz9jGRqgJ4ZkMidkygNiVdHaPUR6n2bWNchujNG2XeJHHjMGYsmRe2cZtahvmpTE5r5MSuhE/SIoPVJ6KdoqTPU1QGx/DnR9SFK1SLSGBFu24Q2HYIiDTwYi3DBJO3vk48NWNeH1xhDdJ+JFjRRlRPUeJ+ocYqSPiOcHRAunqNsWITqFsGWhb8zIrgrwm9d5vRvepQTFlXDYj0xpKANKMtcWrEopkcU8zb5os1a2WG16pBve2S7HkrNQtuckNx/ivHwCcE9F//Vhsn5HvWUzVZpwmbRo1Nw2atPaZVcWhWPna1LNoX2ziXl9oTu4RNqB5dEKmNufvED793c4NPwEeruhMDVH+pfH1OVDdtrLt2CN6Mj4kbepVpwaLcuuN+ZzoTN3Usq21OMpsNixuGNd+a58XGYNz+8w+3Uj0S++12EXx1TN2za2THNtENLzrpcrmRsGmWXRm1CQ6StrcdUu1PUgoQhSS+tOrz21mfc+OAWr797i8/VR/8Lq3GL7eKETtalk7vesF320JVT4uoZmj5AlepE0xJG7koogVQc3v9kl1devc3bH2VY2LDxzZ785THG/DHppR73FnukBO1Oj+jdHiGZg9LLgNTHF+sTuSfCtaGkbBGWLoYbFyzlplKdxwT2PJali3NJEZb8F9Qiz6gEn1JTnvHbo7/o//SSk59fYv4i/Po3pvkP8eyIUPZaGCqPCNSkLh0bv/TQt+2K0LsWZu+OyC14rC245H0eD7vP+X7/D44evODoQDj8k4PDF8Qy1kwYkn8MzoQik4B8nfF/wn8BilxpnoBigEQAAAAASUVORK5CYII=","aspectRatio":1.78397212543554,"src":"/static/0412079155af02d8915db4717f60957e/43a2d/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png","srcSet":"/static/0412079155af02d8915db4717f60957e/6ba37/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 512w,\n/static/0412079155af02d8915db4717f60957e/4e530/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 1024w,\n/static/0412079155af02d8915db4717f60957e/43a2d/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 2048w,\n/static/0412079155af02d8915db4717f60957e/0b1d6/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 2768w","srcWebp":"/static/0412079155af02d8915db4717f60957e/ceab5/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp","srcSetWebp":"/static/0412079155af02d8915db4717f60957e/e4e36/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 512w,\n/static/0412079155af02d8915db4717f60957e/e0f73/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 1024w,\n/static/0412079155af02d8915db4717f60957e/ceab5/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 2048w,\n/static/0412079155af02d8915db4717f60957e/ab56b/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 2768w","sizes":"(max-width: 2048px) 100vw, 2048px"}},"commentId":"/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement/","tableOfContents":{"items":[{"url":"#what-enisa-separates-in-practice","title":"What ENISA separates in practice"},{"url":"#minimum-viable-vdp-that-can-be-evidenced","title":"Minimum viable VDP that can be evidenced","items":[{"url":"#public-reporting-channels","title":"Public reporting channels"},{"url":"#scope-and-safe-harbor","title":"Scope and safe harbor"},{"url":"#triage-and-response-targets","title":"Triage and response targets"},{"url":"#severity-and-prioritization-method","title":"Severity and prioritization method"},{"url":"#remediation-linkage-and-verification","title":"Remediation linkage and verification"}]},{"url":"#workflow-design-that-prevents-predictable-failure-modes","title":"Workflow design that prevents predictable failure modes"},{"url":"#self-managed-vdp-risks-and-controls","title":"Self managed VDP risks and controls"},{"url":"#when-hackrate-managed-vdp-is-justified","title":"When Hackrate managed VDP is justified"}]},"lastModifiedTime":"2026-01-26T09:00:00.000Z","lastModifiedTimeString":"January 26, 2026"},"permalink":"https://blog.hckrt.com/blog/thisclosed_3/"}},"staticQueryHashes":["1209262222","1714442890","2703881467","888479136"]}